Back to skill

Security audit

Google Weather

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Google Weather helper that uses a Google API key and sends requested locations to Google weather/geocoding services as expected.

Install only if you are comfortable using a Google API key and sending requested location queries to Google. Prefer a restricted API key limited to the needed Weather and Geocoding APIs, and avoid entering precise private addresses unless necessary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill declares only `allowed-tools: [exec]` while the documentation clearly indicates it uses environment variables for API keys and makes outbound requests to Google geocoding and weather services. This creates a permissions/behavior mismatch that can mislead users and policy engines about the skill's actual access to secrets and networked data flows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill accepts user-provided locations and geocodes them via Google APIs, but the description does not clearly warn that these queries are transmitted to a third party. Location data can be sensitive, so failing to disclose this external sharing undermines informed consent and may violate privacy expectations or organizational policy.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The helper hard-codes Israeli cities and Hebrew aliases as privileged quick-lookups without any comparable support for other locales, which creates biased behavior and can steer outputs toward a specific region/language without explicit user choice. In an agent skill, this can cause unfair or misleading defaults and reduce user trust, especially when locale assumptions affect geocoding and presentation.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The geocoding request sends the user-provided location string to Google's Geocoding API without any user-facing notice or consent flow. Because location queries can reveal sensitive personal information such as home, workplace, or travel plans, undisclosed transmission to a third party creates a privacy risk even though the destination is an expected weather/geocoding service.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.