Sunset Bot (国内火烧云预报)

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward sunset forecast monitor, but users should know it sends city queries to sunsetbot.top and keeps local query logs.

Install only if you are comfortable sharing queried cities and forecast parameters with sunsetbot.top, storing local forecast history under data/, and configuring a Feishu Open ID for notifications. Consider clearing or limiting the logs if location-interest history is sensitive on your machine.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill sends user-supplied city and request parameters to the external service sunsetbot.top, but the description does not clearly warn users that their query data leaves the local agent environment. This is a privacy and transparency issue because users may assume the request is handled locally, especially for location-related queries that can reveal travel patterns or residence information.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill mandates persistent logging to data/sunsetbot-monitor.log and data/log.md, including query time, city, forecast date, forecast type, and notification status, without a clear user-facing warning. Persistent storage of this history can expose behavioral patterns, location interest, and notification activity to other local users, backups, or later processes that access these files.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal