ClawHub

alibabacloud-iqs-weather-query

Security checks across malware telemetry and agentic risk

Overview

This weather skill mostly matches its purpose, but it tells the agent to modify its parser code after reading external weather pages.

Install only if you are comfortable providing an Alibaba Cloud IQS API key and can keep the skill from making automatic code edits. Treat raw webpage text as untrusted, manually review any proposed parser changes, and store the API key with restrictive permissions or a secret manager rather than committing it or broadly exposing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to go beyond answering weather queries and to modify the codebase by adding new parsers. That behavior is outside the stated purpose of a query skill and creates an unsafe capability expansion path, especially because the new parser logic is derived from externally retrieved site content and format observations.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documentation presents a simple weather lookup tool but embeds an autonomous self-evolution workflow that changes code over time. This mismatch is dangerous because users and operators may invoke the skill expecting read-only behavior while the agent is actually being instructed to perform repository modifications.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The unknown-site fallback embeds an instruction telling the downstream agent to analyze page content and then write and register a new parser in scripts/weather.mjs. That is a self-modification prompt unrelated to the immediate task of returning a weather forecast, and because the raw text comes from an external webpage, it creates a prompt-injection path where untrusted content can influence future code changes or maintenance actions.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill instructs the agent to write new parser functions without any warning, consent, or approval checkpoint. Unapproved code modification is a high-risk action because it can introduce malicious or defective logic into the codebase through normal skill execution.

Ssd 4

High
Confidence
99% confidence
Finding
The raw-mode workflow turns untrusted webpage retrieval into a trigger for autonomous code changes, effectively bridging external content into internal development actions. This is a classic unsafe design because malicious or malformed pages can steer the agent into generating harmful parsers or making persistent changes based on adversarial input.

Ssd 1

High
Confidence
97% confidence
Finding
The evolveHint mechanism explicitly frames untrusted page content and site patterns as guidance for the agent to create new parsers. That creates a semantic prompt-injection channel where hostile webpage content can shape future code generation and potentially persist attacker-influenced logic in the system.

Ssd 4

Medium
Confidence
99% confidence
Finding
The fallback returns a multi-step instruction directing the agent to first answer the user and then synthesize and register new code based on raw page content. In this skill's context, the content originates from arbitrary external websites, so this instruction meaningfully increases the risk of prompt injection, unsafe code suggestions, and unauthorized persistence of untrusted behavior into the codebase.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal