tencent-weather

Security checks across malware telemetry and agentic risk

Overview

This weather skill is not clearly malicious, but it needs review because it installs and runs a persistent external Tencent News CLI and checks API-key state to provide weather results.

Install only if you trust the publisher and the Tencent-hosted tencent-news-cli installer. Prefer downloading and verifying installer scripts before running them, be aware the skill may use or change a stored API key, and treat the local tencent-news-cli installation as a persistent dependency with broader capabilities than weather lookup alone.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (23)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill instructs the agent to execute shell scripts and CLI commands, but no corresponding permissions are declared. This creates a capability/permission gap: reviewers and runtime policy may underestimate what the skill can do, while the documented workflow includes installation, update, API key management, and command execution on the host.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The declared purpose is weather lookup, but the documented behavior includes host inspection, CLI installation/update, API key state management, and a generic `run-cli` wrapper capable of executing arbitrary passed commands. That broader operational scope materially increases risk because a user or downstream component may trust the skill as a simple data-retrieval tool when it can also modify local state and invoke powerful commands.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The file documents configuration for `tencent-news-cli` and a news API key acquisition flow, while the skill is declared to be a Tencent weather tool. This mismatch is a real security concern because it can misdirect users into obtaining and storing credentials for an unrelated service, indicating possible supply-chain confusion, repackaging error, or deceptive documentation that causes unintended credential exposure or misuse.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The installation guide is for a different product (`tencent-news-cli`) than the declared `tencent-weather` skill, which is a serious integrity and supply-chain mismatch. Users expecting a weather tool could be induced to install unrelated software, increasing the risk of unauthorized capabilities, deceptive packaging, or malicious substitution.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The documentation repeatedly identifies the artifact as `tencent-news-cli`, directly contradicting the advertised weather skill identity. This kind of identity inconsistency undermines trust, can mislead users into installing the wrong executable, and is especially dangerous when paired with one-line remote installation commands.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The bundled update guide is for "tencent-news-cli" rather than the weather skill described in the manifest, which indicates the package contains mismatched documentation. This is dangerous because users may be directed to install or update an unrelated executable, creating supply-chain confusion and increasing the chance of unintended software installation or trust abuse.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: Documentation for a news CLI inside a weather-information skill is inconsistent with the declared functionality and can mislead users into running commands for unrelated software. In a security context, this kind of mismatch is risky because it can hide repackaging, dependency confusion, or accidental distribution of instructions that operate outside the intended trust boundary.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The weather skill's state script is wired to a different product entirely: it looks for `tencent-news-cli`, uses `TENCENT_NEWS_INSTALL`, and resolves news-specific binary names and paths. This can cause the agent to trust the presence and state of an unrelated executable, leading to incorrect security decisions, accidental execution of the wrong tool, or exposure of secrets from another Tencent skill installation.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script queries `version` and `apikey-get` on the news CLI rather than the weather tool, so it may report update and API-key status for the wrong application. In a skill environment, that can mislead operators into believing the weather integration is configured or safe when in reality credentials belong to another component, and it may also invoke a wrong binary discovered on PATH.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script is materially inconsistent with the declared weather-skill purpose: it targets a different binary name and install path ('tencent-news-cli') and inspects local CLI state rather than providing weather functionality. In an agent-skill context, this kind of capability mismatch is dangerous because it can hide unrelated host inspection and credential discovery behind an innocuous manifest, increasing the risk of unauthorized environment reconnaissance.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The file's stated behavior is to output install state, update status, and API key status, which does not match the manifest's weather-query description. This discrepancy is risky because users and reviewers may authorize the skill expecting weather retrieval while the code instead inventories software state and credentials on the host.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script performs local installation checks, executes a local binary, and inspects whether an API key is configured, none of which are justified by a simple weather-query skill. Even though it does not print the full key, it still probes credential presence and system configuration, which constitutes unnecessary sensitive-state enumeration and can aid later abuse or exfiltration planning.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The script header and usage comment explicitly describe executing a news CLI in a skill advertised as a weather tool, which is a strong indicator of copy/paste drift or mismatched tooling. In an agent setting, this can cause the skill to invoke an unintended binary and process user requests with software outside the declared trust boundary, undermining least surprise and potentially exposing users to unrelated capabilities.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The wrapper resolves and prefers `tencent-news-cli`/`tencent-news-cli.exe`, plus related install paths and environment variables, even though the skill is supposed to provide weather queries. This means user input intended for a weather function is handed to a different executable entirely, creating a capability mismatch that could trigger unintended operations, data access, or command semantics controlled by the news CLI.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: After resolving the binary, the script forwards user-supplied arguments directly to the resolved news CLI and executes it, despite the declared purpose being weather lookup. In skill-based agent environments, this context mismatch is dangerous because it lets a misbound executable act on user prompts under the guise of a benign weather tool, increasing the chance of unintended data handling or abuse of unrelated CLI features.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The wrapper for a weather skill resolves and executes a binary named `tencent-news-cli`, which is a strong capability mismatch. Even if this is accidental, users invoking a weather tool may actually execute unrelated code or contact an unintended backend, creating a supply-chain and trust-boundary issue where the skill can perform actions outside its declared purpose.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide instructs users to set, retrieve, and clear an API key, including a command that displays the stored key, but provides no warning about credential sensitivity, shell history, screen exposure, or least-privilege handling. In a setup guide, this increases the chance that users will reveal secrets in shared terminals, logs, screenshots, or support interactions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Piping a remotely fetched script directly into `sh` executes unreviewed code immediately, preventing the user from inspecting what will run. If the CDN, path, or delivery chain is compromised, this becomes arbitrary code execution on the user's machine.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Using `irm ... | iex` in PowerShell has the same core risk as `curl | sh`: it fetches and executes remote code in one step with no inspection barrier. A compromised host, CDN path, or DNS resolution could lead to immediate code execution under the user's context.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The markdown instructs users to execute remotely fetched shell and PowerShell scripts directly, without any integrity verification, signature checking, or safety warning. This is dangerous because compromise of the remote host, CDN path, or delivery chain would immediately translate into arbitrary code execution on the user's machine.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script invokes an external CLI command to inspect API key status without clear disclosure that it will access local credential-related state. In this skill context, that is more dangerous because the declared purpose is weather lookup, so users would not reasonably expect background checks against local tools and secrets configuration.

External Script Fetching

High

Category: Supply Chain
Content: 打开终端，执行以下命令： ```sh curl -fsSL https://mat1.gtimg.com/qqcdn/qqnews/cli/hub/tencent-news/setup.sh | sh ``` 脚本会自动完成：识别系统和架构 → 下载 CLI → 验证 → 配置环境变量 → 检测 API Key 状态。
Confidence: 97% confidence
Finding: curl -fsSL https://mat1.gtimg.com/qqcdn/qqnews/cli/hub/tencent-news/setup.sh | sh

Chaining Abuse

High

Category: Tool Misuse
Content: 打开终端，执行以下命令： ```sh curl -fsSL https://mat1.gtimg.com/qqcdn/qqnews/cli/hub/tencent-news/setup.sh | sh ``` 脚本会自动完成：识别系统和架构 → 下载 CLI → 验证 → 配置环境变量 → 检测 API Key 状态。
Confidence: 95% confidence
Finding: | sh

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal