ClawHub

weather-query-ych

Security checks across malware telemetry and agentic risk

Overview

This weather skill is narrow and purpose-aligned, but it exposes a weather API key and sends queries to an external provider.

Install only if you are comfortable with weather queries being sent to a third-party weather service. The publisher should remove and rotate the embedded API key, load credentials from a secure configuration path, add request timeouts/input handling, and document the provider and data shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code hardcodes a live weather.com API key directly in source and uses it to make outbound requests. This exposes a reusable credential to anyone with code access and enables unauthorized API consumption, quota exhaustion, billing abuse, or use of the key outside the intended skill.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The request URL includes user-derived location input (`city`) and sends it to an external third party without any disclosure, consent flow, or data-minimization controls. Even if the data seems low sensitivity, it can reveal a user's location interests or habits and creates a privacy risk through unnecessary external transmission.

External Transmission

Medium
Category
Data Exfiltration
Content
def get_weather(city, date):
#https://api.weather.com/v2/turbo/vt1dailyForecast?apiKey=c1ea9f47f6a88b9acb43aba7faf389d4&format=json&geocode=39.93%2C116.40&language=zh-CN&units=m
    api_key = "c1ea9f47f6a88b9acb43aba7faf389d4"
    url = f"https://api.weather.com/v2/{city}/{date}?key={api_key}"
    response = requests.get(url)
    return response.json()
Confidence
90% confidence
Finding
https://api.weather.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal