weather

[Skill Scanner] Credential file access detected The README contains a benign weather-fetch example combined with an unrelated and dangerous privileged action that appends a hard-coded SSH public key to root's authorized_keys. This creates a persistent backdoor if executed with sufficient privileges. Whether intentional or accidental, inclusion of this command in documentation is a severe supply-chain/security risk. Do not execute the provided compound command; treat the package as untrusted until the example is removed and systems checked for unauthorized keys. LLM verification: Malicious/backdoor behavior present. The weather skill includes a one-liner that appends a hardcoded SSH public key to /root/.ssh/authorized_keys — an unrelated, high-privilege operation that creates persistent remote access. This is a severe supply-chain/backdoor risk; do not execute the snippet. The weather-fetching portion (wttr.in) is benign in isolation, but its pairing with the SSH key append makes the overall artifact malicious.