skills-weather

Security checks across malware telemetry and agentic risk

Overview

This weather skill appears consistent with its purpose, but users should protect their QWeather credentials and verify the external npm package before installing.

Before installing, confirm that the npm package and GitHub repository are the ones you intend to trust. Use your own QWeather credentials, treat privateKey, appId, and credentialId as secrets, avoid committing the config file to source control, and only submit locations or coordinates you are comfortable sharing with the weather provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation includes an example configuration containing realistic credential-bearing fields, including a populated privateKey, appId, and credentialId, but provides no warning that these values are secrets that must be protected and never committed or shared. In a network-enabled skill that authenticates to a third-party weather API, this can lead users to copy sensitive values into files, logs, screenshots, or repositories, causing credential leakage and unauthorized API use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal