Credential Access
High
- Category
- Privilege Escalation
- Content
# 方式一:环境变量(推荐) export JUHE_WEATHER_KEY=你的AppKey # 方式二:.env 文件 echo "JUHE_WEATHER_KEY=你的AppKey" > scripts/.env # 方式三:命令行传入
- Confidence
- 88% confidence
- Finding
- .env
Security audit
全国天气预报查询 - 聚合数据
Security checks across malware telemetry and agentic risk
Overview
This is a straightforward weather lookup skill, with ordinary API-key handling risks users should manage carefully.
Install only if you are comfortable providing a Juhe weather API key. Prefer the JUHE_WEATHER_KEY environment variable, avoid passing the key on the command line, do not commit scripts/.env, and consider changing the Juhe endpoints to HTTPS if supported.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)
Credential Access
High
- Category
- Privilege Escalation
- Content
export JUHE_WEATHER_KEY=你的AppKey # 方式二:.env 文件 echo "JUHE_WEATHER_KEY=你的AppKey" > scripts/.env # 方式三:命令行传入 python scripts/weather.py --key 你的AppKey 北京
- Confidence
- 93% confidence
- Finding
- .env
VirusTotal
57/57 vendors flagged this skill as clean.
Static analysis
No suspicious patterns detected.