Security audit

Weather Cli

Security checks across malware telemetry and agentic risk

Overview

This is a simple weather lookup skill; its main caveat is that weather searches go to an external service.

Install only if you are comfortable querying wttr.in with the locations you enter and installing curl/jq from your trusted package manager. Confirm what provides the actual weather command, since this artifact documents usage but does not bundle an implementation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The skill documentation states that weather data comes from wttr.in, but it does not clearly warn users that their queried locations are transmitted to an external third-party service. Even though this is expected for a weather tool, location queries can contain sensitive travel, residence, or operational information, so the missing disclosure is a real privacy weakness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.