Cs Qweather Jwtgen

Security checks across malware telemetry and agentic risk

Overview

This skill generates a QWeather API token using local credentials, and its sensitive file and environment-variable use is disclosed and purpose-aligned.

Install this only if you intend to generate QWeather API JWTs on this machine. Keep the private key and generated token private, avoid sharing terminal output because it includes the full JWT, and install PyJWT from a trusted Python environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation describes capabilities to read environment variables, read a private key from disk, write a token file, and invoke a shell command, but it does not declare permissions for those actions. This creates a trust and review gap: an agent or operator may approve or run the skill without realizing it accesses sensitive secrets and filesystem paths, which increases the risk of secret exposure or unintended file operations.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal