ClawHub
Back to skill

Security audit

Air Quality Pollen Information

Security checks across malware telemetry and agentic risk

Overview

This is a coherent AgentPMT air-quality and pollen lookup skill, with disclosed external calls and limited map-output persistence.

Install only if you are comfortable sending requested addresses or coordinates to AgentPMT. Avoid using precise home, workplace, or other sensitive locations unless needed, and remember generated map URLs persist for 7 days.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill advertises broad activation phrases such as health/safety monitoring, travel planning, environmental monitoring, and generic terms like 'create map' and 'locations'. In an agentic environment, overly broad triggers can cause unintended invocation, sending user-provided locations or addresses to the remote service when the user did not explicitly request this tool.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The schema states that generated map images are stored in cloud storage for 7 days and that a download URL is returned, but it does not warn users that submitted location data will be retained externally or potentially accessible through a shareable link. Because this skill handles potentially sensitive location/address information, the omission can lead to unintended disclosure or privacy surprises, especially if users assume the output is ephemeral or private by default.

External Transmission

Medium
Category
Data Exfiltration
Content
- What AgentPMT is: ../what-is-agentpmt (ClawHub: `what-is-agentpmt`, page: https://clawhub.ai/agentpmt/what-is-agentpmt; skills.sh: `npx skills add AgentPMT/agent-skills --skill what-is-agentpmt`)
- AgentPMT account MCP/REST setup: ../agentpmt-account-mcp-rest-api-setup (ClawHub: `agentpmt-account-mcp-rest-api-setup`, page: https://clawhub.ai/agentpmt/agentpmt-account-mcp-rest-api-setup; skills.sh: `npx skills add AgentPMT/agent-skills --skill agentpmt-account-mcp-rest-api-setup`)
- Marketplace product: https://www.agentpmt.com/marketplace/air-quality-pollen-information
- AgentPMT main MCP server: https://api.agentpmt.com/mcp/
- AgentPMT REST invoke endpoint: https://api.agentpmt.com/products/purchase
Confidence
94% confidence
Finding
https://api.agentpmt.com/

External Transmission

Medium
Category
Data Exfiltration
Content
- AgentPMT account MCP/REST setup: ../agentpmt-account-mcp-rest-api-setup (ClawHub: `agentpmt-account-mcp-rest-api-setup`, page: https://clawhub.ai/agentpmt/agentpmt-account-mcp-rest-api-setup; skills.sh: `npx skills add AgentPMT/agent-skills --skill agentpmt-account-mcp-rest-api-setup`)
- Marketplace product: https://www.agentpmt.com/marketplace/air-quality-pollen-information
- AgentPMT main MCP server: https://api.agentpmt.com/mcp/
- AgentPMT REST invoke endpoint: https://api.agentpmt.com/products/purchase
Confidence
94% confidence
Finding
https://api.agentpmt.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal