Security audit

Local Business Discovery And Mapping

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward mapping and place-search skill that uses AgentPMT and Google Maps for location lookups, with privacy considerations but no hidden or destructive behavior found.

Install this only if you want agents to perform paid AgentPMT/Google Maps place and geocoding lookups. Avoid sending home, workplace, medical, or other sensitive locations unless the user explicitly asks for that lookup, and keep account, wallet, and payment credentials out of prompts and logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill advertises broad activation keywords such as generic location-related terms, which can cause an agent to invoke this remote skill for ordinary user requests that merely mention addresses, nearby places, or geocoding. In this context, overbroad triggering is risky because it can unnecessarily route user location/address data to a third-party service and create unintended paid external calls.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill enables geocoding, reverse geocoding, and nearby search through AgentPMT-hosted remote calls, but the description does not prominently warn that addresses, coordinates, and location context may be sent to an external third-party service. Because location data is sensitive, the lack of disclosure increases the chance of users or agents sharing private travel, home, work, or medical-location information without informed consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The schema documents actions that send precise addresses, place names, and coordinates to an external geocoding/search service but provides no user-facing disclosure or consent warning. This can cause agents or downstream users to share sensitive location data unintentionally, including home, workplace, or medical-related destinations, creating privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The nearby search description specifically states that addresses will be automatically geocoded, yet it omits a warning that this process shares location data externally. Because the feature can combine address, coordinates, category filters, and radius, it may reveal sensitive user whereabouts or intent without adequate transparency.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal