weather-skill-yub

Security checks across malware telemetry and agentic risk

Overview

This is a small weather lookup skill whose behavior matches its stated purpose, with a minor privacy caveat for online city lookups.

Before installing, verify the package name because the install command appears to be a placeholder. Use offline mode if you do not want to send a city name externally; otherwise avoid querying sensitive locations because online lookups go to wttr.in over plain HTTP.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The script transmits the user-supplied city name to wttr.in over the network without any disclosure or consent mechanism in the skill itself. While the data is low sensitivity in many cases, location queries can reveal user interests or whereabouts, and the request is made over plain HTTP, which further exposes the query to interception.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal