Back to skill

Security audit

Pollen rapporten

Security checks across malware telemetry and agentic risk

Overview

This is a scoped Swedish pollen forecast helper that calls a disclosed public API and shows no hidden access, persistence, or credential handling.

Install only if you are comfortable with the skill contacting api.pollenrapporten.se to retrieve Swedish pollen forecast data for the mapped region. Treat allergy and medication suggestions as informational, not medical advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly directs execution of a Python script that performs outbound API requests, but the skill metadata shown in SKILL.md does not declare corresponding network permissions. This creates a transparency and governance gap: operators and policy engines may not realize the skill transmits user-supplied location queries to an external service, reducing informed consent and weakening permission enforcement.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.