mycityweather

Security checks across malware telemetry and agentic risk

Overview

This is a simple weather lookup skill whose external API use fits its purpose and shows no executable code, persistence, credential theft, or hidden behavior.

Safe to install from a security perspective. Before relying on it, confirm whether your setup connects it to a real weather provider or uses simulated weather data, and avoid sending locations you consider sensitive unless you trust the configured provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill explicitly states it can connect to real weather APIs, which implies user-supplied location and date queries may be transmitted to third-party services. Without a privacy notice or data-handling disclosure, users and integrators may unknowingly expose query data externally, creating a transparency and privacy risk even if the data is not highly sensitive in most cases.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal