Waze

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Waze link helper whose location handling is sensitive but disclosed and aligned with its navigation purpose.

Install this if you want automatic Waze links in chats or briefings. Be aware it may use saved profile location and calendar-event location text, and vague destination searches may be sent to an external search provider; provide full addresses manually for sensitive appointments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill’s activation criteria are very broad, instructing use whenever a destination is mentioned or when agenda items contain locations. This can cause the assistant to invoke the skill in contexts where the user did not clearly request navigation help, leading to unnecessary processing of location-related data and surprise behavior.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill directs the agent to automatically use calendar event location data in briefings without a clear user-facing disclosure or consent step. Accessing and transforming agenda location data into external navigation links can expose sensitive routine, workplace, medical, or personal destination information beyond what the user explicitly asked for.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal