ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mcp-aviation-weather

v1.0.0

Aviation weather data — METAR observations, TAF forecasts, and nearby station discovery via L402 API. Use for flight planning, airport weather checks, and av...

0· 11·0 current·0 all-time
by@haveblue997
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (METAR/TAF/nearby stations) matches the code and README. Required binary (npx) is reasonable given the MCP server configuration uses npx to run the package. No unrelated credentials or binaries are requested.
!
Instruction Scope
SKILL.md and README instruct the agent to use an environment variable named L402_API_BASE_URL (and the SKILL metadata lists L402_API_BASE_URL), but the actual runtime code (src/dist) reads process.env.NAUTDEV_BASE_URL and falls back to https://api.nautdev.com. The instrumentation and examples therefore disagree with the code, which could cause the tool to hit the default API endpoint unexpectedly or fail if users only set the declared env var. README package names and examples also diverge from package.json (different scoped package and different author/team names).
Install Mechanism
No explicit install spec is provided (instruction-only style), but the package includes code and a bin entry; the MCP configuration uses npx -y @vbotholemu/mcp-aviation-weather which will download and execute the package from npm at runtime. That is expected for this type of MCP tool but means code will be fetched from the npm registry when invoked — verify the package source and publisher before running.
!
Credentials
The registry declares L402_API_BASE_URL as required, but the code uses NAUTDEV_BASE_URL (with a default URL). No API keys or sensitive credentials are requested, which is proportionate for a read-only weather API. The mismatch in env var names is the main concern: it may lead to inadvertent use of the default endpoint or confuse users into supplying the wrong variable.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always:false). It will run as an MCP server process via npx and connect over stdio; it does not modify other skills or system-wide config.
What to consider before installing
This skill seems to do what it says (fetch METAR/TAF/nearby stations) and doesn't ask for secrets, but there are packaging/instruction mismatches you should clear up before installing: - Env var mismatch: SKILL.md/registry declare L402_API_BASE_URL but the code reads NAUTDEV_BASE_URL (defaulting to https://api.nautdev.com). If you set only L402_API_BASE_URL the running code will ignore it. Either set NAUTDEV_BASE_URL in your environment or ask the author to fix the docs/manifest to use one consistent variable. - Package identity mismatch: README and package.json reference different scoped names/authors. Confirm the npm package name (@vbotholemu/mcp-aviation-weather) and publisher are legitimate before running npx to fetch it. - Network behavior: The tool will contact api.nautdev.com by default. If you need to avoid that, set the correct BASE env var to your preferred endpoint or don't provide the env var to force a failure instead of using the default. - Runtime download: Running via npx will fetch and execute code from npm — only do this for packages you trust. Consider reviewing the package contents on the registry (or installing in an isolated environment) before allowing the agent to run it. If you want to proceed safely: ask the publisher to fix the env-var and README inconsistencies, verify the package on npm/github, or run the package locally in a sandbox and set NAUTDEV_BASE_URL explicitly to the endpoint you expect. If the author cannot explain the mismatches, treat this as a red flag and avoid installing.
dist/index.js:7
Environment variable access combined with network send.
src/index.ts:7
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972jdgdy7xk70am61ta77dqp18408zx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✈️ Clawdis
Binsnpx
EnvL402_API_BASE_URL

SKILL.md

Aviation Weather (L402)

METAR reports, TAF forecasts, and nearby station search for aviation weather.

Setup

{
  "mcpServers": {
    "aviation-weather": {
      "command": "npx",
      "args": ["-y", "@vbotholemu/mcp-aviation-weather"],
      "env": {
        "L402_API_BASE_URL": "https://api.nautdev.com"
      }
    }
  }
}

Tools

get_metar

Current METAR observation for any ICAO station.

ParameterTypeRequiredDescription
stationstringyesICAO station code (e.g., KJFK)

get_taf

Terminal Aerodrome Forecast.

ParameterTypeRequiredDescription
stationstringyesICAO station code

find_stations

Find nearby weather stations by coordinates.

ParameterTypeRequiredDescription
latitudenumberyesLatitude
longitudenumberyesLongitude
radius_nmnumbernoSearch radius in nautical miles

When to Use

  • Pre-flight weather briefings
  • Airport condition monitoring
  • Flight planning and routing
  • Aviation safety assessments

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…