KnowAir Historical 明气历史天气

Security checks across malware telemetry and agentic risk

Overview

This weather-history skill is coherent and disclosed, but it sends your requested coordinates and Caiyun API token to Caiyun to fetch results.

Install this only if you intend to use Caiyun for historical weather. Use a dedicated Caiyun API token if possible, protect any local token file, and avoid querying exact private locations unless you are comfortable sending those coordinates to Caiyun.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares only allowed tools, but its metadata and usage clearly require access to an environment variable (`CAIYUN_TOKEN`) and outbound network access to the Caiyun Weather API. If the platform relies on explicit permission declarations for enforcement or user review, this mismatch can lead to under-scoped security review and unintended secret or network exposure.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal