get tomorrow weather of beijing , with Chinese almanac information

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Beijing weather and almanac reminder with disclosed external lookups and Feishu delivery, though users should configure the schedule, recipient, and API credentials carefully.

Before installing, confirm the Feishu recipient openid, make sure the daily 18:00 schedule is visible and easy to remove, and store any mxnzp API secret securely rather than embedding it in shared skill text or shell history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manual trigger phrases include very common utterances like '明天天气怎么样' and '天气推送', which can overlap with ordinary conversational weather requests. This can cause the skill to activate unexpectedly and send outbound messages or perform external lookups when the user only intended to ask a casual question, creating consent and privacy issues.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill description does not clearly warn that it will call external services and send a message to a Feishu recipient. Users may not realize their requests trigger network access and outbound messaging, which weakens informed consent and can lead to unintended disclosure of timing, usage, or recipient metadata.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal