weather
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill uses
curlto retrieve weather information. This is the primary function of the skill and does not involve piping output to a shell or executing arbitrary commands.\n- [EXTERNAL_DOWNLOADS] (SAFE): Network requests are made towttr.inandapi.open-meteo.com. These are well-known public weather services. The download of a PNG to/tmp/weather.pngis a standard use of a temporary directory for non-sensitive data.\n- [INDIRECT_PROMPT_INJECTION] (LOW): \n - Ingestion points: The skill reads weather reports from
wttr.inand JSON fromopen-meteo.com.\n - Boundary markers: No specific delimiters or instructions are provided to the agent to ignore instructions embedded in the weather data.\n
- Capability inventory: The skill uses
curlfor data retrieval and file writing to/tmp. It does not have high-privilege capabilities.\n - Sanitization: No sanitization is performed on the incoming weather data. While this presents a theoretical surface for indirect prompt injection (e.g., if a weather service returned a malicious string), it is a standard risk for any data-fetching skill and is mitigated by the benign nature of the tool and the primary use case.
Audit Metadata