ClawHub

weather

Security checks across malware telemetry and agentic risk

Overview

This is a simple weather lookup skill that tells the agent to query public weather services, with no executable code, install hooks, credential use, or persistence.

Before installing, know that any city, airport code, or coordinates you query will be sent to wttr.in or Open-Meteo. Prefer city-level locations over exact home or sensitive coordinates when privacy matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill encourages direct requests to third-party weather services using user-supplied locations, but it does not warn users that location queries will be transmitted externally. While the data shared is usually low sensitivity, locations can still reveal travel plans, home/work areas, or other personal context, so the omission is a real privacy weakness.

External Transmission

Medium
Category
Data Exfiltration
Content
Free, no key, good for programmatic use:
```bash
curl -s "https://api.open-meteo.com/v1/forecast?latitude=51.5&longitude=-0.12&current_weather=true"
```

Find coordinates for a city, then query. Returns JSON with temp, windspeed, weathercode.
Confidence
84% confidence
Finding
https://api.open-meteo.com/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal