Weather via OpenMeteo (via openmeteo-sh cli; advanced ver)

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent weather-query helper that uses a disclosed Open-Meteo command-line tool and does not show hidden code, credential access, persistence, or unrelated behavior.

Before installing, make sure you trust the external openmeteo-sh CLI and the package source you choose. Avoid using precise coordinates unless needed, and be aware that city or coordinate lookups are sent to Open-Meteo endpoints for weather and geocoding results.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill explicitly tells the agent to use the user's default city/country from session context when no location is provided, but it does not require disclosure or confirmation to the user. This can cause implicit use of contextual location data the user did not realize was being accessed, creating a privacy and transparency issue even though the resulting impact is limited to weather-query context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal