ClawHub

cn-weather

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward China weather lookup skill that uses disclosed weather endpoints and does not install code, access local data, or request credentials.

Install this only if you are comfortable with city names from weather queries being sent to the listed CMA weather services. Avoid providing unusually precise or sensitive location details if you do not want that information shared externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description mandates triggering for very broad weather-related prompts, including casual mentions of clothing or travel advice. This can cause unnecessary activation and data disclosure to third-party APIs when the user did not clearly request a live weather lookup, creating an over-collection and least-privilege issue.

External Transmission

Medium
Category
Data Exfiltration
Content
调用站点查询接口,将城市名转为气象站点 ID:

```bash
curl --location 'https://data.cma.cn/kbweb/home/getStationID' \
  --header 'Content-Type: application/json' \
  --data '{"city":"<城市名>"}'
```
Confidence
88% confidence
Finding
curl --location 'https://data.cma.cn/kbweb/home/getStationID' \ --header 'Content-Type: application/json' \ --data '{"city":"<城市名>"}' ``` **说明:** - `<城市名>` 替换为用户输入的城市,例如 `张家港`、`北京`、`上海` - 响应中提取站点

External Transmission

Medium
Category
Data Exfiltration
Content
调用站点查询接口,将城市名转为气象站点 ID:

```bash
curl --location 'https://data.cma.cn/kbweb/home/getStationID' \
  --header 'Content-Type: application/json' \
  --data '{"city":"<城市名>"}'
```
Confidence
88% confidence
Finding
https://data.cma.cn/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal