Back to skill

Security audit

Solar Weather Monitor

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward solar-weather helper that fetches public NOAA space-weather data and does not show private data access, persistence, or destructive behavior.

Install only if you are comfortable allowing the included Python script to contact NOAA's public SWPC service for live space-weather data. It does not require credentials and the reviewed artifacts do not indicate local data collection, file modification, or persistence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes functionality that depends on fetching real-time NOAA SWPC data, which implies network access, but no corresponding permission is declared. Undeclared network capability is a security and governance issue because it prevents proper review of outbound data access, makes runtime behavior less transparent, and can mask future expansion to additional external endpoints.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.