Back to skill

Security audit

Weather

Security checks across malware telemetry and agentic risk

Overview

This weather skill is narrowly scoped to fetching forecasts from public weather services and does not show hidden, persistent, or destructive behavior.

Install only if you are comfortable with weather queries being sent to external services. Avoid entering sensitive exact locations in restricted environments; otherwise the skill appears purpose-aligned and low risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill examples issue live network requests to third-party weather services and do not warn users that queried locations, IP address, user agent, and request metadata will be disclosed to external operators. While this is expected for a weather skill, the lack of disclosure can still create a privacy issue, especially if users supply sensitive locations or use the skill in restricted environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.