Aika Gps

Security checks across malware telemetry and agentic risk

Overview

This skill is for legitimate GPS dispatch work, but it exposes sensitive technician location access with bundled credentials, weak transport claims, and little user-facing authorization guidance.

Install only if you are authorized to track these technicians and have a workplace policy for doing so. Before use, rotate or remove the bundled GPS credentials, store secrets outside the skill files, disable HTTP fallback URLs, and add explicit access controls, consent/notice, audit logging, and limits on location precision and retention.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The function claims it may fail to resolve an address, but in practice it always returns default coordinates for unknown input. This can silently route location and distance calculations to the wrong place, potentially exposing or misusing technician location data and causing incorrect operational decisions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill clearly exposes real-time technician location, nearest-technician lookup, distance, ETA, and geofencing, but the user-facing description does not warn that sensitive location data will be accessed and shown. This creates a privacy and surveillance risk because users may invoke the skill without clear notice that it reveals employees' live whereabouts and movement patterns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal