weather-skill
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches weather and location data from the Open-Meteo API (api.open-meteo.com) and the OpenStreetMap Nominatim API (nominatim.openstreetmap.org). These are well-known public services used for their intended purpose.
- [COMMAND_EXECUTION]: Executes local Python scripts (scripts/geocode.py and scripts/fetch_weather.py) using the standard library to process geocoding and weather data. No external or untrusted binaries are called.
- [PROMPT_INJECTION]: The skill processes data from external APIs which constitutes an indirect prompt injection surface. • Ingestion points: Output from geocoding and weather API requests enters the agent context. • Boundary markers: No explicit delimiters are used for the API output processing in the prompt instructions. • Capability inventory: The skill is restricted to reading local files and executing its own scripts; it lacks file-writing or arbitrary command execution capabilities. • Sanitization: All external API request parameters are sanitized using standard URL encoding in the Python scripts.
Audit Metadata