Weathercli

Security checks across malware telemetry and agentic risk

Overview

This is a coherent weather helper skill with a disclosed external CLI install and normal location-query privacy considerations, but no evidence of hidden or malicious behavior.

Install this if you are comfortable fetching the weathercli tool from GitHub and sending queried locations to external weather/geocoding providers. For stronger supply-chain control, review the upstream repository and prefer a pinned version or commit instead of @latest.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The skill sends user-supplied locations to external geocoding and weather services, but the documentation does not clearly disclose that this data leaves the local environment. Even though locations are usually low sensitivity, they can reveal home addresses, travel plans, or other personal context, so the omission creates a privacy and consent issue.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal