weather

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward weather lookup skill that runs a local Python helper and queries Open-Meteo for the requested city.

Reasonable to install for weather queries. Be aware that it runs a bundled Python script, may require the common requests package, and sends the city or place name you ask about to Open-Meteo.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares only Bash as an allowed tool, but its documented behavior relies on a Python script that performs geocoding/weather lookups, implying outbound network access without an explicit permission declaration. Hidden or undeclared network capability weakens platform trust boundaries and can expose user queries or enable unexpected data exfiltration if the script behavior changes or is abused.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The description uses broad activation language such as any weather-related question, temperature lookup, or meteorological inquiry, which can cause over-triggering outside clear user intent boundaries. Over-broad triggers are dangerous because they may capture unrelated conversation context and send it into the skill pipeline, increasing accidental data exposure and unexpected tool execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal