OSRM Maps Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a straightforward maps helper that sends user-provided locations to public OSRM and Nominatim services for routing and geocoding.

Install this for normal map lookups if you are comfortable sending searched places and route coordinates to public OSRM and Nominatim/OpenStreetMap services. Avoid submitting sensitive home, workplace, medical, legal, or private travel locations unless that third-party processing is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill clearly relies on outbound network access to public OSRM and Nominatim services, but no corresponding permission is declared. Undeclared network capability weakens policy enforcement and user/operator visibility, making it easier for a skill to contact external services without explicit approval or review.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script sends precise origin and destination coordinates to a third-party OSRM service over the network without any explicit user notice or consent mechanism. Even though this is necessary for the routing feature and uses HTTPS, location data is sensitive and may reveal home, work, or travel patterns, so undisclosed external transmission is a real privacy weakness.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal