Weather via OpenMeteo (via openmeteo-sh cli; simple ver)

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward weather lookup helper that uses a disclosed OpenMeteo CLI and does not request credentials or persistent access.

Install this only if you are comfortable installing and trusting the external openmeteo-sh CLI from the documented package or source locations. Weather requests may reveal the city or coordinates you ask about to Open-Meteo, but the skill does not ask for API keys, credentials, persistent access, or unrelated local data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The description uses very broad, everyday-language triggers such as weather, temperature, rain, snow, wind, and umbrella, which can cause the skill to be invoked in many casual contexts beyond explicit weather requests. Over-broad invocation increases the chance of unintended tool use, unnecessary disclosure of location/context to the tool, and incorrect routing when a user meant something non-tool-related or metaphorical.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal