Adaptive Tone

Security checks across malware telemetry and agentic risk

Overview

This plugin coherently adjusts assistant tone, with the main caveat that its optional weather feature sends configured coordinates to Open-Meteo when enabled.

Reasonable to install if you want tone adaptation. Review the weather setting before enabling it with real coordinates: it contacts Open-Meteo and sends the configured latitude and longitude. Disable weather mode if you do not want external network calls for tone changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README states that the plugin uses the Open-Meteo API and documents latitude/longitude configuration, but it does not clearly warn users that enabling weather-aware tone adaptation causes location data to be transmitted to a third-party service. In a plugin that adapts conversational behavior, this disclosure matters because operators may not expect external network calls or location sharing from a tone-only feature, creating privacy and compliance risk.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: This plugin performs outbound network access to fetch weather data during prompt construction, but the code shown provides no user-facing disclosure or consent mechanism. Even if only latitude/longitude are sent, this can expose location-related data and create an unexpected privacy leak, especially because it happens automatically on each turn when enabled.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal