ClawHub

天气预报查询

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward weather lookup skill that calls wttr.in, with the main caveat that weather queries may reveal a city or IP-based location to that service.

Install only if you are comfortable with weather lookups being sent to wttr.in. Provide an explicit city to avoid IP-based location lookup, and be aware that ordinary weather questions may invoke the skill.

Publisher note

天气预报、天气、下雨、大风、城市天气

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions, yet its documented behavior requires shell-capable execution via `python3` and `curl`. This creates a transparency and policy gap: reviewers and users are not accurately informed about the capability surface, which can enable unexpected command execution or network access once the underlying script is invoked.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases include very common conversational text such as '查天气' and '今天天气怎么样', making accidental invocation likely during normal chat. Overly broad triggers can cause the skill to run unexpectedly, leading to unintended network requests, data disclosure such as IP-based location lookup, or interference with user intent routing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends user-provided city data, and potentially the user's IP-derived location when no city is supplied, to the third-party service wttr.in without any disclosure or consent flow. In a weather skill, transmitting location-related data is expected functionally, but the silent external transfer still creates a real privacy issue.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal