Back to skill

Security audit

Weather data loader (both history and forecast)

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward weather-data fetcher that uses Open-Meteo as disclosed and does not show hidden data access, persistence, or destructive behavior.

Install this if you are comfortable running local Python scripts that contact Open-Meteo. Avoid entering locations or coordinates you consider private, and use a virtual environment if you want tighter dependency control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes executing local Python scripts that perform network access and likely produce output files or formatted artifacts, yet the skill declares no permissions. This creates a transparency and policy-enforcement gap: an agent or reviewer may treat the skill as low-risk while it can invoke shell commands, reach external services, and potentially write data locally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.