ClawHub

彩云天气每日推送

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it fetches weather for a configured location and sends scheduled notifications, but users should understand their coordinates and message timing may go to third-party services.

Install only if you are comfortable sharing the configured coordinates with Caiyun and sending the generated weather report through your chosen notification channel. Use a dedicated Caiyun token if possible, avoid overly precise coordinates if neighborhood-level weather is enough, test with dry-run or terminal output first, and remove the cron configuration when you no longer want daily notifications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents use of environment variables, outbound network access, and shell commands, but does not declare corresponding permissions or capabilities. This creates a transparency and governance gap: users or the hosting platform may not realize the skill will access secrets and transmit location/token data externally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to send precise latitude/longitude and an API token to a third-party weather service without an explicit privacy warning or data handling notice. Location data is sensitive, and users may not understand that using the skill discloses their coordinates to an external provider.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises forwarding weather reports through WeChat, Telegram, Discord, and similar services, but does not warn users that message content and associated metadata will be transmitted to those third parties. Even if the payload is only weather data, it can reveal habitual location and daily routines when combined with channel/account metadata.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends precise latitude/longitude and embeds the Caiyun API token in the request path to a third-party weather service without any explicit notice, consent prompt, or minimization. Even though this is necessary for the advertised functionality, location data is sensitive and the token may be exposed in process listings, logs, shell history, or monitoring systems depending on the environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal