ClawHub

Ambient Weather

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Ambient Weather read-only connector skill with some setup and scoping cautions but no evidence of hidden, destructive, or exfiltrating behavior.

Install only if you trust OOMOL and are comfortable connecting your Ambient Weather account through its CLI. Review the remote installer before running it, and remember the skill can read device metadata plus latest and historical weather observations from the connected account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest at L03 frames the skill as being for Ambient Weather requests involving searching and reading data. However, the Safety section explicitly discusses state-changing and destructive actions, implying the skill may be used to perform writes and deletes, which exceeds the manifest's stated read-oriented scope.

Vague Triggers

Medium
Confidence
95% confidence
Finding
This is a markdown/manifest file, so vague-trigger review applies. The phrasing is broad and lacks constraints or exclusion examples, making activation ambiguous for any conversation that merely mentions Ambient Weather rather than clearly requesting these specific read actions.

External Script Fetching

High
Category
Supply Chain
Content
- **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>):

  ```bash
  curl -fsSL https://cli.oomol.com/install.sh | bash    # macOS / Linux
  ```

  ```powershell
Confidence
90% confidence
Finding
curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal