ClawHub
Back to skill

Security audit

Multi Location Route Optimizer W Map

Security checks across malware telemetry and agentic risk

Overview

This appears to be a route-planning skill whose location handling is purpose-aligned, but users should be aware that addresses or coordinates may be sent to external services.

Install only if you want an agent to use AgentPMT or mapping services for route planning. Avoid submitting sensitive home, customer, or operational locations unless the user explicitly intends that external sharing, and prefer generalized stops when exact addresses are not required.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation keywords include long generic business-use prose rather than narrowly scoped triggers, which increases the chance that an agent will invoke this skill for loosely related travel, delivery, or scheduling tasks. That can cause unintended disclosure of sensitive addresses, customer locations, or itinerary data to the external routing provider without clear user intent.

Vague Triggers

Low
Confidence
81% confidence
Finding
The 'When To Use' guidance mostly restates the product name and generic capability instead of defining concrete decision boundaries, so an orchestrating agent may over-select this skill. In a skill that transmits user-supplied location data to third-party services, ambiguous invocation criteria increase the risk of accidental external sharing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill solicits precise addresses and coordinates and generates Google Maps links, but it does not prominently warn that this location data will be sent to external AgentPMT and likely downstream mapping/routing services. Users and calling agents may therefore expose sensitive home, customer, or operational location data without informed consent or minimization.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal