ClawHub

BMKG Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward BMKG weather and seismic data monitor that fetches public government data without signs of credential access, persistence, or hidden local impact.

Install only if you are comfortable with the skill making network requests to BMKG government domains for live monitoring data. There is no evidence of hidden credential access or persistence, but permission metadata would make the network requirement clearer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

External Transmission

Medium
Category
Data Exfiltration
Content
import json
import xml.etree.ElementTree as ET

BASE_URL = "https://data.bmkg.go.id/DataMKG/TEWS/"
SHAKEMAP_BASE = "https://data.bmkg.go.id/DataMKG/TEWS/"
WEATHER_API = "https://api.bmkg.go.id/publik/prakiraan-cuaca"
WARNINGS_URL = "https://www.bmkg.go.id/alerts/nowcast/id"
Confidence
60% confidence
Finding
https://data.bmkg.go.id/

External Transmission

Medium
Category
Data Exfiltration
Content
import xml.etree.ElementTree as ET

BASE_URL = "https://data.bmkg.go.id/DataMKG/TEWS/"
SHAKEMAP_BASE = "https://data.bmkg.go.id/DataMKG/TEWS/"
WEATHER_API = "https://api.bmkg.go.id/publik/prakiraan-cuaca"
WARNINGS_URL = "https://www.bmkg.go.id/alerts/nowcast/id"
Confidence
60% confidence
Finding
https://data.bmkg.go.id/

External Transmission

Medium
Category
Data Exfiltration
Content
BASE_URL = "https://data.bmkg.go.id/DataMKG/TEWS/"
SHAKEMAP_BASE = "https://data.bmkg.go.id/DataMKG/TEWS/"
WEATHER_API = "https://api.bmkg.go.id/publik/prakiraan-cuaca"
WARNINGS_URL = "https://www.bmkg.go.id/alerts/nowcast/id"
Confidence
60% confidence
Finding
https://api.bmkg.go.id/

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal