Back to skill

Security audit

Aviation Weather

Security checks across malware telemetry and agentic risk

Overview

This skill fetches aviation weather from the disclosed aviationweather.gov API and does not show hidden data access, persistence, or destructive behavior.

Install this if you are comfortable sending airport codes and, for PIREP searches, latitude/longitude search areas to aviationweather.gov. For flight-critical decisions, verify results through official aviation briefing channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly instructs use of an external FAA weather API, so network access is a real capability even though no permissions are declared. This creates a transparency and governance issue: users or the hosting platform may not realize the skill can make outbound requests, which can affect privacy, auditing, and policy enforcement even if the destination appears legitimate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.