ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mcp-marine-weather

v1.0.0

Marine weather forecasts via NOAA api.weather.gov — current conditions, multi-day forecasts, and marine weather warnings. No API key needed. Use when agents...

0· 31·0 current·0 all-time
by@haveblue997
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, code, and tools all align with providing NOAA marine forecasts and alerts. The functions and parameters in SKILL.md match the included implementation.
Instruction Scope
Runtime instructions are narrowly scoped to fetching NOAA endpoints and returning forecasts/alerts. However SKILL.md shows using npx to run an external package and instructs a non-interactive install (-y), and the tool honors an optional NOAA_BASE_URL environment override (process.env.NOAA_BASE_URL) which can redirect requests to a different host if set.
!
Install Mechanism
There is no platform install spec in the registry, but SKILL.md recommends running `npx -y <package>` which will download and execute remote code from the npm registry (moderate risk). Additionally there are naming/author inconsistencies across files: package.json name is "@vbotholemu/mcp-marine-weather", README refers to "@velocibot/mcp-marine-weather", and the bundled USER_AGENT and author metadata reference 'velocibot' — these mismatches could be benign typos, copy/paste errors, or indicators that the source published to npm is different from the code bundled here. Prefer a pinned version and validate the npm package before running npx.
Credentials
The skill requests no credentials or privileged env vars. The only environment usage is an optional NOAA_BASE_URL override (process.env.NOAA_BASE_URL) which is reasonable but should be checked because it can change the target endpoint for HTTP requests.
Persistence & Privilege
The skill is not always-on and does not request elevated or persistent system privileges. It behaves as a normal MCP tool that will run when invoked.
What to consider before installing
This skill appears to implement NOAA marine forecasts and needs no credentials, but exercise caution before using the recommended `npx -y <pkg>` installation: npx will fetch and run remote npm code. Actions to take before installing: 1) Verify the npm package name and publisher on the npm registry match the author you trust (the repository has inconsistent names/author strings - @vbotholemu vs @velocibot). 2) Prefer pinning to an explicit version rather than using -y to pull latest. 3) Inspect the published package contents (or the repository) to confirm it matches the included source, especially entrypoint code. 4) If you allow the optional NOAA_BASE_URL env var, ensure it points only to trusted NOAA endpoints — otherwise it could redirect requests to an untrusted host. 5) If possible, run the tool in a sandboxed environment or review its network activity before adding it to agents with broader privileges.
src/index.ts:7
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97413f2tnrpm806abbedjw8yn840mv6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌊 Clawdis
Binsnpx

Comments