ClawHub
Back to skill

Security audit

Weather

Security checks across malware telemetry and agentic risk

Overview

This is a normal weather skill that sends queried locations to weather providers, with no evidence of hidden persistence, credential access, or destructive behavior.

Reasonable to install if you are comfortable sending searched locations to external weather and geocoding providers. Prefer city-level locations over exact home or work coordinates when privacy matters. Maintainers should add a clear privacy notice in the README, SKILL.md, and CLI help listing the providers and what location data is shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Low
Confidence
89% confidence
Finding
The README advertises use of multiple third-party weather APIs but does not clearly warn users that queried locations, airport codes, or coordinates may be transmitted to external services. This is a genuine privacy/transparency issue because location data can be sensitive, especially for precise coordinates or repeated queries that reveal habits, even though the file itself does not contain code execution or credential theft behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends user-supplied city names, coordinates, and potentially inferred language/system locale information to third-party weather services, but the description does not warn users about this data disclosure. Location data can be sensitive, and silent transmission to external services creates a privacy risk even if the intended functionality is benign.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends user-supplied location data to third-party services such as wttr.in, Open-Meteo, and geocoding endpoints, but this file contains no notice, consent flow, or minimization for that transmission. Location data can be sensitive personal information, and forwarding it to external providers may create privacy and compliance risk even if the service is otherwise legitimate.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The help text advertises the CLI as free and easy to use, but does not disclose that user-supplied city/location input may be transmitted to third-party weather providers such as wttr.in, Open-Meteo, WAQI, or pollen services. This is a real privacy/transparency issue because location data can be sensitive, and users may unknowingly expose their query history or approximate whereabouts to external services.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.