Back to skill

Security audit

QuakeProof — USGS Earthquake Shaking Lookup

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed earthquake lookup helper that sends a street address to a third-party service only after consent, with some commercial follow-up links users should notice.

Install only if you are comfortable sending a specific property address to hurricaneinspections.com for earthquake lookup. The skill discloses this and requires consent, but users should understand that the service logs the address/date request and that responses may include related paid or promotional links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill goes beyond its stated purpose of providing property-specific earthquake lookup data and instructs the agent to promote a paid report. This creates a trust-boundary problem: users asking for neutral factual verification may receive commercially motivated nudges, which can bias responses and turn the skill into a marketing channel rather than a narrowly scoped utility.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation directs the agent to promote ancillary products such as baseline photos and damage-documentation kits that are not required to fulfill the earthquake lookup task. This is risky because it leverages user trust and sensitive property-damage contexts to drive lead generation, potentially causing unwanted solicitation and scope creep in a workflow involving personal address data.

External Transmission

Medium
Category
Data Exfiltration
Content
**What goes out:** the street address, an optional earthquake date, and a `source: "mcp"` tag. **No email address is transmitted.**

**Where it goes:** `https://api.hurricaneinspections.com/api/quake-preview`, operated by Oasis Engineering / hurricaneinspections.com (a Florida-registered Licensed PE practice). The endpoint geocodes the address and queries the public USGS earthquake catalog on the caller's behalf.

**What gets logged:** address, date, and timestamp, retained for operational debugging and service improvement. Logs are not sold, shared, or used for advertising. Deletion requests: <support@hurricaneinspections.com>. Privacy policy: <https://hurricaneinspections.com/privacy>.
Confidence
90% confidence
Finding
https://api.hurricaneinspections.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.