free-weather-data
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill interacts with reputable, well-known weather services (Open-Meteo and wttr.in) for data retrieval. No sensitive files are accessed, and no credentials or API keys are required or hardcoded.
- [SAFE]: Code implementations follow standard security practices for URL construction, utilizing URLSearchParams and encodeURIComponent to sanitize inputs.
- [COMMAND_EXECUTION]: The skill provides curl commands to interact with weather APIs. These commands are used strictly for data retrieval from specified public endpoints and do not include piping to a shell or execution of remote content.
- [PROMPT_INJECTION]: The surface for indirect prompt injection from weather API responses was evaluated. 1. Ingestion points: Weather data from api.open-meteo.com and wttr.in is consumed via curl and fetch in SKILL.md. 2. Boundary markers: Absent in the agent prompt templates. 3. Capability inventory: The skill's capabilities are limited to data retrieval and local parsing logic. 4. Sanitization: Responses are parsed as structured JSON, and data is often cast to numeric types (e.g., parseInt, parseFloat), which prevents the interpretation of arbitrary API text as agent instructions.
Audit Metadata