ClawHub

Nordpool Fi

Security checks across malware telemetry and agentic risk

Overview

This skill only fetches public Finnish electricity prices and calculates charging windows, with a daylight-saving-time accuracy caveat.

Install only if you are comfortable with the skill contacting Porssisahko.net whenever run. Do not rely on its charging-window times without checking daylight-saving-time behavior, especially during Finnish summer time; otherwise the artifacts show no credential use, persistence, local data access, or account-changing behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation exposes a tool that performs outbound network access to the Porssisahko.net API, but the skill declares no permissions. This creates a transparency and policy-enforcement gap: hosts or reviewers may assume the skill is passive when it can actually contact external services, which can enable unexpected data flow, dependency on untrusted remote content, and bypass of least-privilege controls.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code comment states Finland summer/winter time is handled, but `to_local()` always applies a fixed UTC+2 offset. During daylight saving time, this misclassifies current and future hourly buckets by one hour, which can produce incorrect current price, daily stats, and optimal EV charging windows. In this skill’s context, wrong scheduling decisions can directly cause financial loss or charging at unintended times.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal