Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Beach Safety
v1.1.0Comprehensive beach surf conditions via mcporter MCP call. Use when asked about surf, waves, swim conditions, rip currents, or beach safety at any beach worl...
⭐ 0· 107·1 current·1 all-time
byEvan Foglia@evanfoglia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (beach surf and safety reports) matches the code: geocoding, NOAA/Open-Meteo/OpenUV lookups, scoring and recommendations. However the SKILL.md includes an opinionated install snippet that references a specific user's absolute home path and instructs placing the MCP server outside the skills tree — this is not strictly necessary to provide the claimed capability and is unusual.
Instruction Scope
SKILL.md instructs adding an MCP server entry that points to a hard-coded path (/Users/evanfoglia/...) and states the server lives outside the skills tree (persistence). The instructions therefore go beyond simple API calls and require the user to run a local server/process and modify their mcporter config; that increases the attack surface and should be done knowingly. The SKILL.md does not explicitly document the optional OPENUV_API_KEY usage present in the code.
Install Mechanism
There is no automated install spec (instruction-only), which is lower risk, but code files are included and the server expects Python dependencies (e.g., httpx) that are not declared. The lack of dependency/install guidance may cause users to copy/run code in environments without isolation. No external download URLs or extract/install steps were found.
Credentials
The registry metadata lists no required env vars, but the code optionally reads OPENUV_API_KEY (and beach_lookup.py also reads it). Requesting an optional OpenUV key is reasonable for UV data, but the SKILL.md does not call this out. No unrelated credentials are requested.
Persistence & Privilege
The skill instructs users to register and run an MCP server from a workspace path outside the skills tree, which creates a persistent local process and modifies mcporter configuration. While always:false and autonomous invocation are normal, this persistence and external placement increases the blast radius and should be explicitly acknowledged by the user.
What to consider before installing
This skill appears to do what it says (geocode a beach, call public weather/ocean APIs, compute a safety score), but take these precautions before installing/running it: 1) Review the full src/server.py yourself (it's long) to confirm there are no hard-coded endpoints or network callbacks you don't want. 2) Do not blindly copy the mcporter config example — it references a specific user's absolute path. Change paths to locations you control and understand. 3) Run the MCP server in an isolated environment (container, VM, or non-privileged account) and ensure Python dependencies (httpx) are installed in a virtualenv. 4) Be aware the code optionally reads OPENUV_API_KEY for UV data — only provide keys you trust and scope. 5) If you don't want a persistent local process or config changes, consider calling the included functions via the CLI (beach_lookup.py) instead of registering a long-running MCP server. If you want higher assurance, ask the author for a dependency list, a README with expected ports, and a non-user-specific mcporter config example before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk9722zr1hg0zx904hexem41rc98409af
License
MIT-0
Free to use, modify, and redistribute. No attribution required.