ClawHub

SeaLegs AI Marine Forecast API

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed SeaLegs marine forecast API integration, with expected API-key use and external requests but no evidence of hidden, destructive, or unrelated behavior.

Install only if you are comfortable sending forecast locations, dates, vessel details, and optional metadata to SeaLegs using your API key. Ask for confirmation before creating or refreshing forecasts because those actions consume credits, avoid putting secrets or sensitive personal data in metadata or webhook payloads, and do not rely on GO/CAUTION/NO-GO labels as the sole basis for boating decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares runtime capabilities via metadata that require an API key and network access, but the file does not present any explicit permission declaration or user-facing warning about those capabilities. In a skill ecosystem, hidden or under-declared access to environment secrets and outbound network communication reduces informed consent and can enable unintended secret use or external data transmission.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The webhook section states that user-supplied metadata is echoed back exactly as sent, but it does not warn that this data will be transmitted to a third-party endpoint designated by the webhook URL. That can lead users or integrators to include sensitive trip names, identifiers, or personal data in metadata that is then disclosed externally or to an attacker-controlled endpoint.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example clearly sends precise location, trip timing, and vessel characteristics to a third-party API, but the workflow does not warn users that this data leaves the local environment. This creates a real privacy and informed-consent issue, especially because marina location and vessel details can be sensitive operational information.

External Transmission

Medium
Category
Data Exfiltration
Content
## Step 1: Create the SpotCast

```bash
curl -X POST https://api.sealegs.ai/v3/spotcast \
  -H "Authorization: Bearer $SEALEGS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
curl -X POST https://api.sealegs.ai/v3/spotcast \ -H "Authorization: Bearer $SEALEGS_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Step 1: Create the SpotCast

```bash
curl -X POST https://api.sealegs.ai/v3/spotcast \
  -H "Authorization: Bearer $SEALEGS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
https://api.sealegs.ai/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal