ClawHub

IQAir Air Quality

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses an IQAir API key to fetch air-quality data, with no evidence of hidden persistence, destructive behavior, or unrelated data access.

Install if you are comfortable giving the skill a limited IQAir API key and sending queried city, coordinate, or nearest-location requests to IQAir. Prefer explicit city or coordinate lookups when privacy matters, and avoid using --nearest unless IP-based location inference is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation indicates use of environment variables and outbound network access, but the skill does not declare corresponding permissions. This creates a transparency and governance gap: operators may approve or invoke the skill without realizing it can read secrets and contact external services, increasing the risk of unintended secret exposure or unauthorized data egress.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger description is broad enough to activate on generic weather requests, even though the skill is specifically for air-quality lookup. Over-broad activation can cause unnecessary third-party API calls, expose location-related user queries to an external provider more often than expected, and increase the chance that this skill runs in contexts where the user did not intend air-quality enrichment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation recommends a nearest-city lookup based on IP address without a prominent privacy warning or consent requirement. IP-based geolocation can disclose approximate user location to the external service and may surprise users who asked a general question without expecting location inference or third-party sharing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal