Weather Forecasts111

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward weather skill that queries wttr.in and shows forecast data, with a privacy note around location lookup.

Install only if you are comfortable with weather queries being sent to wttr.in. If you omit a city, the service may infer location from the request IP; provide an explicit city or coordinates if you want more control.

Publisher note

asdfasfasfasfasdasdasdasdasd

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases include very generic everyday expressions such as asking about weather, which can cause unintended invocation during normal conversation. Accidental activation can expose user context such as inferred location/IP-based lookup or cause unanticipated network requests without clear user intent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script sends user-supplied location data to a third-party service and, when no city is provided, implicitly falls back to IP-based geolocation. That can disclose sensitive location information without any user-facing notice or consent, which is a real privacy/security concern in this skill context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal