Back to skill

Security audit

Weathercli

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward weather helper skill with normal network and install considerations, and no evidence of hidden or malicious behavior.

Install this if you are comfortable fetching the weathercli tool from GitHub and sending queried locations to Open-Meteo or related geocoding/weather services. For stronger supply-chain control, review the upstream repository and prefer a pinned release or commit instead of @latest.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
96% confidence
Finding
The skill sends user-provided location data to an external weather service, but the description does not clearly warn users that their query leaves the local environment. While location names are usually low sensitivity, they can still reveal travel plans, home/work area, or other contextual personal information, so the omission creates a transparency and privacy risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.