ClawHub

Weather Tool

Security checks across malware telemetry and agentic risk

Overview

This weather skill appears to do only weather lookups, but it disables normal HTTPS certificate checks when contacting the weather service.

Review before installing. The skill is small and purpose-aligned, but users should ask the maintainer to restore normal HTTPS verification before relying on it, especially for precise or sensitive locations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation demonstrates a weather script that likely performs network access, but the skill declares no permissions. Undeclared network capability is a real security issue because it hides the skill's operational scope from reviewers and users, reducing transparency and making abuse or unexpected data exfiltration harder to detect. In this context, weather retrieval legitimately needs network access, which lowers suspicion of malicious intent, but the missing declaration remains a policy and security gap.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code creates a TLS context with hostname checking disabled and certificate verification turned off before fetching data over HTTPS. This makes the request vulnerable to man-in-the-middle interception or spoofing, allowing an attacker on the network path to supply forged weather data or maliciously crafted responses while the client believes the connection is secure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Disabling certificate verification removes the core authenticity guarantee of HTTPS, so the tool cannot verify it is actually talking to wttr.in. In this skill's context, the primary impact is integrity loss of returned weather information and possible denial of service or malformed-response handling issues, rather than direct code execution.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal