Tempest Weather

Security checks across malware telemetry and agentic risk

Overview

This is a coherent read-only Tempest weather skill that uses a user-provided token to fetch station data from WeatherFlow.

Install this if you want your agent to read your Tempest station data. Store the Tempest API token in environment configuration, not chat, and be aware that broad requests like home or backyard weather may use your station-specific data rather than a general weather source.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger description includes broad phrases like 'backyard/home weather' and 'quick local weather summaries,' which can overlap with generic weather requests and cause the skill to activate when the user did not specifically ask for Tempest data. That can lead to unintended use of a third-party API, disclosure of home-station-derived data, or confusion about the provenance and scope of the response.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal