Qweather

Security checks across malware telemetry and agentic risk

Overview

This is a small weather lookup skill with disclosed QWeather API use; the main caution is that it embeds a shared API key.

Install only if you are comfortable sending requested city codes, city names, or coordinates to QWeather through the publisher-provided shared API key. Prefer a version that lets users configure their own QWeather API host and key, and expect some advertised features to need cleanup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The document exposes a directly usable QWeather API key in plaintext. Even if the key has host/IP restrictions, publishing live credentials enables unauthorized use, quota exhaustion, service abuse, and creates unnecessary attack surface if restrictions are misconfigured or later relaxed.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Publishing a live credential in Markdown without any sensitivity warning or secure handling guidance normalizes unsafe secret management and allows anyone with repository access to reuse the key. In a skill context, this is more dangerous because documentation is broadly readable and likely to be copied, indexed, or logged.

VirusTotal

No VirusTotal findings

View on VirusTotal