ClawHub

WeatherKit

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Apple WeatherKit client with expected credential use, but users should handle the Apple key carefully and avoid exposing debug logs.

Install only if you are comfortable giving the skill access to a WeatherKit-specific Apple private key and sending latitude/longitude forecast requests to Apple. Keep the .p8 key outside shared folders, restrict its permissions, avoid sharing stderr logs if queried locations are sensitive, and rotate the key if you suspect exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to provide sensitive identifiers and a private key path for JWT authentication, but it does not include warnings about secret handling, least-privilege usage, or avoiding disclosure in logs and transcripts. Because this skill depends on Apple developer credentials and a private key, poor guidance can lead to accidental exposure of long-lived secrets that could enable unauthorized API access or misuse of the associated Apple account resources.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code logs raw HTTP response bodies to stderr both on success and on HTTP/JSON parsing failures. API responses can contain sensitive or unexpected data, and stderr is often captured by orchestrators, CI logs, agent platforms, or shared monitoring systems, causing unintentional data exposure and log-forging risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal