ClawHub

Weather Query Zrr

Security checks across malware telemetry and agentic risk

Overview

This is a coherent weather lookup skill that runs a local Python script to query public weather APIs, with limited privacy considerations around sending city names to those services.

Install only if you are comfortable with a local Python script making HTTPS requests to wttr.in and Open-Meteo using the city or location you provide. It does not require an API key and does not appear to read credentials or persist data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes network access and shell execution (`python3 scripts/weather.py ...`) but does not declare corresponding permissions. Undeclared capabilities reduce transparency and can cause the agent or user to invoke networked code without understanding the external data flow and execution surface. In this context the functionality is weather lookup, so the risk is not inherently malicious, but hidden network/shell capability still expands attack surface and weakens policy enforcement.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description says to use the skill for weather, temperature, forecast, or air quality for any city, which is broad enough to match many common user requests without clear invocation boundaries. Over-broad triggering can cause the agent to call the skill unexpectedly, sending user-provided locations to third-party services when the user did not explicitly consent to an external lookup. The weather context makes the impact moderate rather than severe, but it still creates privacy and control issues.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The documentation states that the skill requires network access to wttr.in or api.open-meteo.com, but it does not clearly warn that user-supplied city names are transmitted to those third-party services. This omission weakens informed consent and can expose potentially sensitive location information, though the transmitted data is limited and the domain is weather lookup, so impact is comparatively low.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal