ClawHub

Dataify Google Map Details

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed wrapper for submitting Google Maps detail collection jobs to Dataify, with no evidence of hidden persistence, unrelated data access, or deceptive behavior.

Install this only if you intend to let your agent submit Google Maps detail collection jobs to Dataify. Be aware that a saved DATAIFY_API_TOKEN may be reused for future submissions, so review the mode and parameters before allowing a run and consider whether Dataify usage may consume account quota or incur charges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger description is extremely broad and includes many synonymous phrasings for scraping or collecting Google Maps data, which can cause the skill to activate in situations where the user did not explicitly intend to use this third-party data collection workflow. In context, that is risky because activation can lead to use of stored credentials and submission of data to an external API, making accidental invocation more dangerous than a normal overbroad description.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill enables implicit invocation, which allows the agent to trigger this external-action capability without an explicit user request scoped to a narrow set of conditions. Because this skill submits Dataify tasks for scraping Google Maps details, broad auto-invocation increases the risk of unintended external requests, user-surprising data collection, or prompt-triggered abuse from ambiguous input.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal