ClawHub

光伏设计NASA日均气象数据获取

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: geocode a user-provided location, fetch NASA POWER weather data, and save the results as an Excel file.

Install only if you are comfortable sending entered place names or coordinates to OpenStreetMap Nominatim and NASA POWER. For sensitive home or workplace locations, prefer entering approximate coordinates or a less precise area, and choose the output path deliberately because the generated Excel file will remain on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill performs outbound network operations to third-party services but does not declare permissions or otherwise make that capability explicit. This weakens sandboxing and user trust boundaries because a reviewer or runtime policy may not realize the skill can transmit user-supplied data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The stated purpose focuses on NASA meteorological data retrieval, but the workflow also geocodes arbitrary user locations via OpenStreetMap Nominatim. That mismatch matters because users may not expect their raw address or place name to be sent to an additional external service, creating a privacy and transparency issue.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill omits a warning that user-provided location data is transmitted to external services and that generated Excel files are written to local storage. This can expose sensitive location information and leave artifacts on disk without informed user consent, especially when users provide precise addresses such as home or workplace locations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal