Tübingen Weather

Security checks across malware telemetry and agentic risk

Overview

This is a narrow weather-report skill that uses a public weather API, optional local text output, and a clearly documented daily cron setup.

Install it if you want automated Tübingen weather summaries. Only add the cron job if daily 08:00 execution is desired, and confirm the saved output path is acceptable for local weather text files.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation instructs use of both network access (Open-Meteo API) and file writes (saving reports locally), but it does not declare those permissions. Undeclared capabilities reduce transparency and can cause the agent or reviewer to authorize behavior they did not explicitly approve, which is a real security and governance issue even if the stated use case is benign.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The skill description claims automated daily delivery and Telegram forwarding, but the documented implementation only fetches weather data, prints to stdout, and suggests a separate cron setup. This mismatch can mislead users and operators about what the skill actually does, potentially causing them to trust unimplemented automation or messaging paths and overlook where data is really going.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal