Back to skill

Security audit

BMKG Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward BMKG earthquake and weather monitor that fetches public Indonesian government data and shows no hidden local or account impact.

Install this only if you are comfortable with it making live requests to BMKG government domains for earthquake, tsunami, weather, and warning information. It does not show evidence of credential access, persistence, or local data collection, but clearer permission metadata would make the network behavior easier to review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly instructs use of live BMKG endpoints for earthquake, weather, tsunami, and warning data, which requires network access, yet no declared permissions are present. This creates a permission/capability mismatch that can bypass expected review controls, obscure the skill's external data access, and increase supply-chain and data-exfiltration risk if the implementation is modified or abused.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.