Security audit

Map Generator With Markers

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent remote map-generation integration, with some privacy and activation-scope caveats but no evidence of deception or unsafe behavior.

Install only if you are comfortable sending map coordinates, labels, and route details to AgentPMT for remote image generation. Avoid using it for private homes, sensitive sites, protected locations, or identifying labels unless the user has explicitly approved external processing and 7-day hosted access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The skill metadata description includes broad discovery terms such as "create map," "points," and "map type," which are generic enough to trigger this remote skill in contexts where a user did not explicitly ask to send location data to an external service. Because the tool transmits coordinates and labels to a hosted endpoint and stores outputs for 7 days, accidental invocation can create unnecessary privacy and data-handling risk.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The "When To Use" section is permissive and lacks clear do-not-use boundaries, so an orchestrating agent may select this skill whenever location-like content appears, even if a local, non-persistent alternative would be safer. In this skill's context, that ambiguity is more dangerous because input data is sent off-platform and generated images remain accessible via signed URL for 7 days.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The capability description explains map generation features but does not clearly warn that supplied coordinates, labels, and paths are transmitted to a remote hosted service and that resulting images are stored in cloud storage for 7 days. This can mislead users or calling agents into sharing precise location data without informed consent, creating privacy and retention risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal