天气查询

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed weather-lookup skill that routes weather questions to Moji Weather or MSN Weather, with no executable code or hidden persistence.

Install this only if you are comfortable with weather requests being handled through Moji Weather or MSN Weather and with location names being visible to those sites. Avoid it if you want the agent to keep using built-in or other weather providers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The skill explicitly overrides the built-in weather behavior and forces use of specific domestic providers without user consent. This creates a policy and trust risk because it restricts source selection, may expose user queries to region-specific third parties, and can bias or censor results compared with safer or more privacy-preserving defaults.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal