Security audit

Location Street View Satellite Imagery

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AgentPMT location-imagery and geocoding integration, with expected remote calls and short-term image link storage.

Install only if you are comfortable sending addresses or coordinates to AgentPMT for paid remote processing. Avoid sending highly sensitive home, workplace, or travel locations unless needed, and remember generated image links may remain available for up to 7 days.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The activation keywords include very generic terms such as "geocode" and "address," which can cause the skill to be selected in contexts far broader than intended. In an agent environment, overly broad routing triggers can lead to unintended transmission of user-provided location data to a remote service and unexpected paid tool execution.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explains functionality but does not prominently warn users up front that location queries are sent to a third-party remote service and that returned imagery is retained for 7 days. This creates a meaningful privacy and data-handling risk because users may provide sensitive home, workplace, or travel-related locations without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal