ClawHub

Weather NWS

Security checks across malware telemetry and agentic risk

Overview

This weather skill does what it says: it sends a requested location to public weather/geocoding services and optionally uses an AirNow API key for air-quality results.

Install only if you are comfortable sharing queried locations, which may include home addresses or travel plans, with public geocoding and weather providers. If using AQI, use an AirNow API key created for this purpose and avoid reusing sensitive credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation advertises use of environment variables and multiple outbound network services, but no explicit permissions are declared for those capabilities. In an agent ecosystem, missing capability declarations undermine least-privilege controls and informed user consent, allowing a seemingly simple weather skill to access network resources and secrets without transparent governance.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose emphasizes NWS weather forecasting and wttr.in fallback, but the skill also documents additional behaviors including AQI retrieval, current observations, astronomical calculations, aviation forecasts, and fire weather checks. This mismatch reduces transparency about what data sources and functions are invoked, which can mislead users and policy systems into approving broader data access and network activity than expected.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
User-provided location queries are sent to third-party services (Nominatim for geocoding, and elsewhere wttr.in/AirNow/NWS) without any explicit user-facing disclosure or consent flow. Location strings can contain sensitive personal data such as home address, ZIP code, or travel context, so silent transmission to external services creates a privacy and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal