ClawHub

和风天气查询功能

Security checks across malware telemetry and agentic risk

Overview

This is a weather lookup skill with some under-documented provider and credential setup details, but the artifacts do not show theft, destructive behavior, or unrelated hidden capabilities.

Install only if you are comfortable configuring QWeather credentials locally and sending weather locations to external weather services. Treat the Open-Meteo fallback as an under-disclosed third-party data flow, and avoid running or sharing output from the JWT token helper.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
A documented weather skill that actually includes additional capabilities such as external fallback services, local private-key file access, JWT generation, and unrelated weather endpoints materially expands the attack surface beyond what users and reviewers are told to expect. This mismatch can hide sensitive data access paths and undisclosed outbound network behavior, undermining trust boundaries and making security review incomplete or misleading.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file contains PEM-style private key markers and references to generating an ED25519 keypair, which introduces cryptographic private key material into a weather-query skill where it is not operationally justified by the stated functionality. Even if this appears malformed or placeholder-like, bundling private-key-related content in the repository creates unnecessary secret-handling risk and may indicate accidental inclusion of sensitive material or covert signing/authentication capability.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Storing private-key-related material adds a sensitive credential-handling capability that is unrelated to a simple weather API client and expands the attack surface significantly. In this context, such a key could be abused for signing, impersonation, or unauthorized access workflows, and its presence is more suspicious because the skill description only mentions weather queries via JWT+Host, not local private key storage in the package.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The function silently sends user-supplied location data to a second provider (Open-Meteo) when QWeather location resolution fails, even though the skill metadata describes QWeather-based weather queries. This creates an undeclared data flow and trust-boundary expansion, which is a real privacy and integrity issue because users and integrators may assume their data only goes to QWeather.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
On API failure or request exceptions, the code silently retries with Open-Meteo, broadening external data sharing beyond the stated single-provider behavior. This is dangerous because operational failures at one provider should not automatically trigger transmission of user data to a different provider without notice or consent.

Missing User Warnings

Low
Confidence
78% confidence
Finding
Using a default location from an environment variable without clearly notifying the user can leak contextual information about a preset place, such as a home city, office location, or organization default, and can produce results based on an unintended location. While lower severity than secret leakage, it is still a privacy/transparency issue because the skill may act on hidden configuration the user did not explicitly provide.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Unlike the primary provider call, this fallback path transmits the user's location to a secondary external provider that is not disclosed in the stated skill description. Hidden secondary disclosure is materially more sensitive because it changes who receives user data and may violate user expectations, policy, or compliance requirements.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal