Back to skill

Security audit

Weather Ultra

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward weather and photography-light forecast helper, with some normal privacy and setup considerations for external weather APIs.

Install only if you are comfortable sharing queried locations with WeatherAPI and SunsetHue and using local API keys for those services. Keep ~/.openclaw/.env trusted, use limited-purpose API keys, and ensure curl and jq are available before running the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises execution of a local shell script but does not declare corresponding permissions, which creates a transparency and policy-enforcement gap. In an agent environment, hidden shell capability can enable unintended command execution paths or make reviewers and users underestimate the skill's operational power.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger list includes very common phrases such as '天气' and '天气预报', making accidental activation more likely. Overly broad activation is risky because it can invoke shell-backed behavior in contexts where the user did not clearly intend to run this specific skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.