Back to skill

Security audit

Weather TV style

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises: create a local weather infographic using Open-Meteo weather data and Gemini image generation.

Install this in a virtual environment if possible, use a Gemini API key whose quota you are comfortable using, and enter only locations you are comfortable sharing with Open-Meteo and Google Gemini.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares an environment variable requirement and an install step that pulls packages from the network, but it does not explicitly declare corresponding permissions. This creates a transparency and policy-enforcement gap: a host may treat the skill as low-privilege while it can still access secrets in the environment and perform network activity to fetch dependencies or contact external services.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill sends user-associated location data and derived weather-query parameters to third-party services, but the code contains no disclosure, consent handling, or even developer-facing warning about that external transmission. In this skill context, the address is central input and can be sensitive; transmitting it to image-generation and weather providers creates a real privacy risk even if the behavior is functionally expected.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.