weather-skill-0311

Security checks across malware telemetry and agentic risk

Overview

This is a small weather lookup skill that matches its stated purpose, with the main caveat that online searches send the city name to wttr.in over plain HTTP.

Safe for ordinary weather lookups. Be aware that online mode sends the city you type to wttr.in over an unencrypted HTTP request, so use --offline for demos or avoid sensitive/private locations unless the endpoint is changed to HTTPS.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script sends the user-supplied city name to wttr.in over the network without clearly informing the user that their input will be disclosed to a third-party service. In addition, it uses plain HTTP rather than HTTPS, which allows intermediaries to observe or tamper with the request and response, increasing privacy and integrity risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal