ClawHub

Stormglass Surf & Ocean Data

Security checks across malware telemetry and agentic risk

Overview

This surf-report skill does what it says, but it should be reviewed because an optional Google API key can be exposed in error output or cron logs.

Install only if you are comfortable sending surf spot names or coordinates to Stormglass and, for location lookup, Google or OpenStreetMap. Prefer direct coordinates or mock mode for privacy-sensitive use, store API keys in environment-backed secrets, and avoid running the Google geocoding path in cron logs until error messages redact URLs or keys.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares environment-variable requirements and explicitly describes live API calls to Google, OpenStreetMap, and Stormglass, plus shell execution via Python scripts, but it does not declare corresponding permissions. This creates a capability/permission mismatch that can undermine sandboxing, surprise operators, and enable unintended outbound network access or secret use if the runtime trusts declared permissions for policy decisions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The reference explicitly instructs sending user-provided location strings to Google Geocoding or OpenStreetMap Nominatim, but it does not require user notice, consent, or minimization. Location queries can contain sensitive or identifying places such as home addresses, making this a real privacy issue due to third-party data disclosure.

Missing User Warnings

Low
Confidence
75% confidence
Finding
The authentication section names sensitive API keys and shows how they are passed, but provides no handling guidance such as storing them in secrets management, avoiding logs, or preventing exposure in error output. This omission can lead to accidental credential leakage during implementation or debugging.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal