Back to skill

Security audit

Weather

Security checks across malware telemetry and agentic risk

Overview

This is a simple weather lookup skill that uses curl to query wttr.in; its main caveat is that requested locations are sent to a third-party weather service.

Before installing, understand that weather requests will contact wttr.in and can reveal the queried location plus normal request metadata such as IP address. Avoid using exact home addresses or sensitive travel details; use city, region, or airport codes instead. The Open-Meteo mention appears undocumented, so expect wttr.in behavior unless the author updates the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill instructs the agent to send user-supplied locations directly to wttr.in, a third-party service, but does not disclose that this transfers user input externally. Even though a city name is usually low-sensitivity data, locations can still reveal travel plans, home area, or other contextual personal information, so the missing privacy warning is a real data-handling issue.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.