ClawHub

Weather Forecast - 全国天气预报

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward weather lookup skill that sends the user’s chosen weather query to JisuAPI and does not show hidden, persistent, or destructive behavior.

Install this only if you are comfortable using JisuAPI for weather data. Prefer city-name queries over exact coordinates or IP address when possible, and use a dedicated JISU_API_KEY with normal quota controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill accepts caller-supplied `ip` and forwards it to a third-party weather API, enabling geolocation based on an IP address rather than a city name alone. In a weather skill this may be functionally relevant, but it expands the data collection surface beyond the manifest’s simple weather-query description and can disclose personal location-related data without clear consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to submit precise latitude/longitude or IP address to a third-party weather provider, but it does not clearly warn that these are personal or sensitive location identifiers being transmitted off-platform. This creates a privacy risk because users and integrators may disclose unnecessary location data without informed consent or minimization.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill can send precise latitude/longitude or an IP address to a third-party API, which may reveal a user's approximate or exact location. Because there is no user-facing disclosure, minimization, or consent flow in the skill, users may unknowingly expose sensitive location data during ordinary weather requests.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal