Back to skill

Security audit

Weather Daily

Security checks across malware telemetry and agentic risk

Overview

This appears to be a weather helper with broad trigger words, but there is no evidence of harmful access, hidden behavior, or unsafe installation behavior.

Installing looks reasonable if you want a weather-focused skill. Be aware it may activate on very general weather phrases, and check whether it responds in the language you expect before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README advertises a long list of generic weather-related keywords, including broad multilingual phrases like 'weather', 'today's weather', and 'what to wear', without any scope constraints, disambiguation rules, or exclusions. In agent ecosystems that use keyword matching for invocation or routing, this can cause over-triggering, accidental activation, or interception of unrelated user requests, especially because the skill claims worldwide coverage and multiple weather use cases.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The manifest uses a very broad set of weather-related keywords in both Chinese and English, including generic everyday terms like 'weather', 'forecast', 'today weather', and 'rain'. This can cause the skill to be invoked for routine user requests without clear activation boundaries, increasing the risk of overbroad triggering, accidental routing, or user confusion about which skill is responding.

Natural-Language Policy Violations

Low
Confidence
73% confidence
Finding
The manifest mixes Chinese and English trigger keywords but provides no indication of locale handling, language selection, or how users control which language experience they receive. This can lead to ambiguous routing, mismatched responses, or unintended activation across language contexts, especially in multilingual environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.