current_weather

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only weather skill whose main privacy consideration is a disclosed fallback that may use third-party IP location sites to infer a city.

Installers should know that the skill may use third-party IP geolocation sites if the city is not otherwise known. For better privacy, provide the city directly and decline or avoid IP-based location lookup when the location is sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill explicitly instructs use of third-party IP geolocation services to infer the user's city without any clear notice, consent flow, or privacy warning. That can disclose the user's IP-derived location and metadata to external services and collect location information the user did not intentionally provide, making it a real privacy/security issue in this context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal