ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Natural Disaster Intel

v1.0.0

FEMA disaster declarations, NOAA weather alerts, and USGS earthquake data. 3 tools for real-time disaster monitoring.

0· 404·2 current·2 all-time
byMartin@martc03
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (FEMA/NOAA/USGS) match the SKILL.md which exposes three disaster-monitoring tools. The requirement for the 'mcporter' binary is consistent with adding an MCP server. However, the runtime instructions recommend writing to ~/.openclaw/mcp.json (agent config) while the skill metadata lists no required config paths — a small mismatch that should be declared.
!
Instruction Scope
The SKILL.md instructs the agent/user to add a remote MCP server URL (https://natural-disaster-intel-mcp.apify.actor/mcp) using mcporter or by editing ~/.openclaw/mcp.json. That action connects the agent to an external host which can stream tool interfaces and data; instructions do not request unrelated local data, but they do modify the agent's MCP config (a privileged configuration surface). The doc does not describe what the remote server will publish beyond the three tools.
Install Mechanism
There is no install spec and no code files — lowest-risk deployment surface. The single binary dependency (mcporter) is reasonable for adding an MCP server. No downloads/archives or opaque install URLs are provided by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is proportional. However, it implicitly requires write access to the user's MCP config (~/.openclaw/mcp.json) via mcporter or manual edit; that config-path requirement is not listed in the metadata and should be declared.
!
Persistence & Privilege
always is false (good) and autonomous invocation is allowed (platform default). The actionable concern is that adding the remote MCP server persists a reference in the agent config so the external host can supply/stream tools later — this increases the blast radius of the remote service and should be trusted only if the server/operator is verified.
What to consider before installing
This skill appears to honestly provide FEMA/NOAA/USGS data, but installing it requires adding a third-party MCP server (natural-disaster-intel-mcp.apify.actor) to your OpenClaw MCP config. Before you install: 1) Verify the GitHub homepage and the operator running the Apify actor; inspect the server's source code if available. 2) Back up and inspect your existing ~/.openclaw/mcp.json after running mcporter (or edit it manually) so you know what changed. 3) Be aware that the remote server can stream arbitrary tool implementations to your agent — only add servers you trust. 4) If you prefer reduced risk, query FEMA/NOAA/USGS APIs directly or run a self-hosted MCP server that you control. If you want greater assurance, provide the skill author or publisher info and server implementation details; that would raise confidence from medium to high.

Like a lobster shell, security has layers — review code before you run it.

latestvk972pcnjgte7jbgqmdetn4abh581yna2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌪️ Clawdis
Binsmcporter

Comments