ClawHub

Weather Pollen

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform only weather and pollen lookups, but users should know it is configured-location based rather than a true lookup for any arbitrary location.

Install only if you want weather for a configured latitude/longitude and pollen for the built-in Anna, TX ZIP code. Do not rely on it for arbitrary-city pollen or weather unless you update the configuration/code to match the location you care about.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill uses environment variables and network access but does not declare corresponding permissions, which weakens transparency and policy enforcement around what the skill can access. In an agent ecosystem, undeclared capabilities can cause operators and users to grant trust under false assumptions, increasing the risk of unintended data access or outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill claims to provide weather and pollen reports for any requested location, but the described behavior indicates requests are effectively tied to fixed coordinates and a hardcoded pollen ZIP, while the user-supplied location may only change the displayed label. This is dangerous because it can mislead users into acting on incorrect environmental data for a different location, especially for health-sensitive pollen decisions or weather-related planning.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill advertises pollen reports for any location, but the pollen endpoint is hardcoded to ZIP code 75409, so users will receive Anna, TX pollen data regardless of the requested location. This is an integrity issue that can mislead users into making health decisions based on incorrect allergen data.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The weather request always uses environment-configured coordinates, while the user-supplied location only changes the displayed label in the report. This can deceive users into believing data corresponds to their requested location, creating a spoofing/integrity problem with potentially unsafe downstream decisions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal