ClawHub

Spatix

Security checks across malware telemetry and agentic risk

Overview

Spatix is a disclosed mapping skill that sends map and location data to its hosted API, with privacy and package-install cautions but no artifact-backed malicious behavior.

Install only if you are comfortable sending map inputs to Spatix. Avoid submitting home addresses, private routes, sensitive facility locations, proprietary GeoJSON, or confidential prompt text unless you intend that data to be processed by the service and potentially exposed through generated map links or public attribution. Review the spatix-mcp package before using the optional MCP install path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly encourages passing `agent_id` and `agent_name` for leaderboard attribution and states that points are tracked publicly, but it does not clearly warn that these identifiers and associated activity may become publicly visible and linkable over time. This can lead agents or users to disclose persistent identifiers unintentionally, creating privacy and tracking risks even if the fields are not secrets.

External Transmission

Medium
Category
Data Exfiltration
Content
### Option 1: Direct API (no setup)
```bash
# Create a map from GeoJSON — no auth needed
curl -X POST https://api.spatix.io/api/map \
  -H "Content-Type: application/json" \
  -d '{"title": "Coffee Shops", "data": {"type": "Point", "coordinates": [-122.42, 37.77]}}'
# Returns: {"url": "https://spatix.io/m/abc123", "embed": "<iframe>..."}
Confidence
85% confidence
Finding
curl -X POST https://api.spatix.io/api/map \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**Visualize locations from text:**
```bash
curl -X POST https://api.spatix.io/api/map/from-text \
  -H "Content-Type: application/json" \
  -d '{"text": "recent earthquakes magnitude 5+ worldwide"}'
```
Confidence
84% confidence
Finding
curl -X POST https://api.spatix.io/api/map/from-text \ -H "Content-Type: application/json" \ -d '{"text": "recent earthquakes magnitude 5+ worldwide"}' ``` **Map with multiple layers:** ```bash c

External Transmission

Medium
Category
Data Exfiltration
Content
### Option 1: Direct API (no setup)
```bash
# Create a map from GeoJSON — no auth needed
curl -X POST https://api.spatix.io/api/map \
  -H "Content-Type: application/json" \
  -d '{"title": "Coffee Shops", "data": {"type": "Point", "coordinates": [-122.42, 37.77]}}'
# Returns: {"url": "https://spatix.io/m/abc123", "embed": "<iframe>..."}
Confidence
85% confidence
Finding
https://api.spatix.io/

External Transmission

Medium
Category
Data Exfiltration
Content
**Visualize locations from text:**
```bash
curl -X POST https://api.spatix.io/api/map/from-text \
  -H "Content-Type: application/json" \
  -d '{"text": "recent earthquakes magnitude 5+ worldwide"}'
```
Confidence
84% confidence
Finding
https://api.spatix.io/

External Transmission

Medium
Category
Data Exfiltration
Content
**Map with multiple layers:**
```bash
curl -X POST https://api.spatix.io/api/map \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Analysis with Context",
Confidence
82% confidence
Finding
https://api.spatix.io/

External Transmission

Medium
Category
Data Exfiltration
Content
**Route between points:**
```bash
curl -X POST https://api.spatix.io/api/map/route \
  -H "Content-Type: application/json" \
  -d '{
    "start": "San Francisco, CA",
Confidence
83% confidence
Finding
https://api.spatix.io/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal