KnowAir Air Quality 明气空气质量

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward weather-forecast helper that uses a disclosed Caiyun API token to fetch forecast data.

Install this only if you are comfortable providing a Caiyun Weather API token and sending queried coordinates to Caiyun. Use a token intended for this service, and avoid querying locations you consider sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares tool access that enables reading environment variables and making network requests via Python, but it does not explicitly declare corresponding permissions. This creates a transparency and policy gap: users or platform controls may not realize the skill can access a secret token and transmit data off-host to an external API, which increases the risk of unintended secret exposure or overbroad capability use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal