ClawHub

Apify Google Maps Scraper

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Apify-based Google Maps scraping skill, but users should understand it sends searches to Apify and may collect business emails by default.

Install only if you intend to use Apify for Google Maps scraping. Treat `APIFY_API_TOKEN` as a secret, expect searches and scraped results to be processed by Apify, review the remote actor before sensitive or large jobs, and disable email scraping unless the user explicitly wants it and has a compliant reason to collect contact data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match ordinary local-search requests such as finding nearby businesses or restaurants, which can cause the scraping skill to activate when a user may only expect a simple lookup. In this skill, unintended invocation is more concerning because activation sends search terms and potentially enriched business data to a third-party service and may perform email scraping by default.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description omits a clear warning that user queries and resulting business data are transmitted to Apify and that the actor may visit business websites to scrape emails. That lack of disclosure increases the risk of users unknowingly authorizing third-party data transfer and collection of personal/contact information.

External Transmission

Medium
Category
Data Exfiltration
Content
BASE = "https://api.apify.com/v2"

# Step 1: Start the run
response = requests.post(
    f"{BASE}/acts/futurizerush~google-maps-scraper/runs?token={TOKEN}",
    json={
        "searchQueries": ["coffee shop taipei"],
Confidence
95% confidence
Finding
requests.post( f"{BASE}/acts/futurizerush~google-maps-scraper/runs?token={TOKEN}", json=

External Transmission

Medium
Category
Data Exfiltration
Content
### Search with direct Google Maps URL

```python
requests.post(
    f"{BASE}/acts/futurizerush~google-maps-scraper/runs?token={TOKEN}",
    json={
        "startUrls": [
Confidence
94% confidence
Finding
requests.post( f"{BASE}/acts/futurizerush~google-maps-scraper/runs?token={TOKEN}", json=

External Transmission

Medium
Category
Data Exfiltration
Content
### Multiple queries

```python
requests.post(
    f"{BASE}/acts/futurizerush~google-maps-scraper/runs?token={TOKEN}",
    json={
        "searchQueries": ["dentist new york", "lawyer new york", "accountant new york"],
Confidence
94% confidence
Finding
requests.post( f"{BASE}/acts/futurizerush~google-maps-scraper/runs?token={TOKEN}", json=

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Step 1: Start the run
RUN_RESPONSE=$(curl -s -X POST \
  "https://api.apify.com/v2/acts/futurizerush~google-maps-scraper/runs?token=$APIFY_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"searchQueries": ["coffee shop taipei"], "maxResults": 50, "language": "en", "scrapeEmails": true}')
Confidence
95% confidence
Finding
curl -s -X POST \ "https://api.apify.com/v2/acts/futurizerush~google-maps-scraper/runs?token=$APIFY_API_TOKEN" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Step 1: Start the run
RUN_RESPONSE=$(curl -s -X POST \
  "https://api.apify.com/v2/acts/futurizerush~google-maps-scraper/runs?token=$APIFY_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"searchQueries": ["coffee shop taipei"], "maxResults": 50, "language": "en", "scrapeEmails": true}')
Confidence
96% confidence
Finding
https://api.apify.com/

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 2: Poll until done
while true; do
  STATUS=$(curl -s "https://api.apify.com/v2/actor-runs/$RUN_ID?token=$APIFY_API_TOKEN" \
    | jq -r '.data.status')
  [ "$STATUS" = "SUCCEEDED" ] && break
  [ "$STATUS" = "FAILED" ] || [ "$STATUS" = "ABORTED" ] && echo "Failed: $STATUS" && exit 1
Confidence
95% confidence
Finding
https://api.apify.com/

External Transmission

Medium
Category
Data Exfiltration
Content
done

# Step 3: Fetch results
curl -s "https://api.apify.com/v2/datasets/$DATASET_ID/items?token=$APIFY_API_TOKEN" | jq '.'
```

## Output Format
Confidence
95% confidence
Finding
https://api.apify.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal