My Local Weather

Security checks across malware telemetry and agentic risk

Overview

This is a simple weather lookup skill that sends the requested location to wttr.in, with no evidence of persistence, credential theft, or destructive behavior.

Install only if you are comfortable with searched locations being sent to wttr.in. Do not rely on the documented WEATHER_API_KEY, configurable provider, alerts, history, or forecast behavior unless the maintainer updates the implementation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill sends the user-supplied location to the external service wttr.in, which is a real data disclosure because location data can be sensitive and the code provides no in-skill notice, consent flow, or privacy boundary. The context makes this somewhat less dangerous than credential exfiltration because the request is necessary to fulfill the weather function and uses HTTPS with URL encoding, but it still exposes potentially sensitive user data to a third party.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal