weather-mcp

Security checks across malware telemetry and agentic risk

Overview

This instruction-only weather skill is coherent and disclosed, with the main privacy consideration that weather locations are sent to a listed external endpoint.

Install this only if you are comfortable sending the requested city or coordinates to the listed weather MCP endpoint. Prefer city names over exact coordinates when possible, and only provide a narrow token intended for this weather service if authentication is required.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs sending user-supplied location data to a remote third-party SSE endpoint without an explicit privacy notice or consent step. Location data can be sensitive, and silently transmitting it off-platform may violate user expectations or internal data-handling policies.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal