wittiot-device-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent WittIoT weather-station query tool, with the main caution being careful handling of the required API key.

Install only if you trust the publisher and want an agent to access your WittIoT weather-station data. Prefer setting WITTIOT_API_KEY as an environment variable or secret instead of pasting it into chat or storing it in plaintext config.json; revoke the key from WittIoT if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger examples include broad, everyday phrases for weather and device status queries, which can cause the skill to activate unintentionally in unrelated conversations. Misfires are more concerning here because the skill may then prompt for or use an API key and query account-linked device data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation recommends saving the API key to a local `config.json` without warning about plaintext secret storage, file permissions, or multi-user system exposure. If the host is shared, backed up, or the workspace is readable by other tools, the credential can be stolen and used to access bound weather-station data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal