ClawHub

Weather Checker

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward weather lookup skill; the main cautions are visible installation steps that fetch code and optionally create command symlinks.

Install from the bundled reviewed weather_checker.py or a verified release instead of the placeholder raw GitHub URL. Prefer a user-level ~/.local/bin symlink over sudo unless you intentionally want a system-wide command, and remember that city/location queries are sent to Open-Meteo.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly describes and depends on network access to query the Open-Meteo API, but the manifest metadata only declares a binary requirement and does not declare the network capability. This creates a permissions/documentation mismatch that can mislead users and security tooling about the skill's real behavior, reducing transparency and informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends user-supplied city names to an external geocoding service without clearly disclosing that user input will be transmitted off-host. While the data is low sensitivity in most cases, location queries can still reveal user interests, whereabouts, or habits, making this a genuine privacy/security concern in an agent context.

External Transmission

Medium
Category
Data Exfiltration
Content
### 2. 下载脚本
```bash
curl -O https://raw.githubusercontent.com/yourusername/weather-checker/main/weather_checker.py
chmod +x weather_checker.py
```
Confidence
90% confidence
Finding
curl -O https://raw.githubusercontent.com/yourusername/weather-checker/main/weather_checker.py chmod +x weather_checker.py ``` ### 3. 创建全局命令(可选) ```bash sudo ln -sf $(pwd)/weather_checker.py /usr/loc

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal