天气查询测试技能

Security checks across malware telemetry and agentic risk

Overview

This is a simple weather lookup skill; its main caveat is that city queries are sent to a public weather service over unencrypted HTTP.

Safe to use for ordinary weather checks. Before installing, be aware that the city you ask about may be visible to wttr.in and to network intermediaries because the request uses HTTP; avoid using it for sensitive location-related queries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The skill sends user-derived city data to a third-party service over plain HTTP, which lacks transport encryption. This allows network observers or intermediaries to read or modify the request and response, and the user is not informed that their input is being transmitted externally. In this context the data is low sensitivity, but the insecure transport still creates a real integrity and privacy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal