baidu-mapbox-isochrone

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised map generation, but it also requires automatic sharing of sensitive location-derived files to Feishu without clear user control.

Install only if you are comfortable with addresses, derived coordinates, map previews, shapefiles, and basemap imagery being shared with Baidu, Mapbox, ESRI, and Feishu. Before use, disable or manually confirm the Feishu send step, verify the destination, provide API keys through a scoped secret mechanism rather than general memory or CLI arguments, and install dependencies in an isolated environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill clearly performs outbound network activity to Baidu, Mapbox, and ESRI/ArcGIS services, yet no permissions are declared. This weakens reviewability and informed consent because operators and users cannot easily see that external data transfers will occur before execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The description says the skill geocodes, converts coordinates, and generates isochrones, but the workflow also downloads ESRI imagery and saves an extra GeoTIFF basemap. This hidden behavior expands external data sharing and file output scope beyond what a user would reasonably expect from the description.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The script quietly fetches and stores ESRI satellite imagery even though the declared skill workflow centers on Baidu geocoding and Mapbox isochrone generation. This creates undisclosed third-party data transfer and expands the trust boundary, which is risky in agent skills because users may not expect their location-derived data to be sent to an additional provider or additional licensed content to be stored locally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill mandates automatic sending of preview images and ZIP archives to Feishu after generation, without requiring a separate user confirmation at the point of disclosure. Because the artifacts contain the user address, derived coordinates, and map outputs, this creates a direct privacy and data-exfiltration risk to an external channel.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill description omits that user-provided addresses and derived coordinates are transmitted to third-party mapping providers. Without a privacy warning, users may unknowingly disclose sensitive location data to external services during normal use.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill transmits user-supplied addresses and derived coordinates to external services without any explicit warning, consent flow, or data-handling notice. In this context, location data can be sensitive, and undisclosed transmission to Baidu, Mapbox, and ESRI increases privacy and compliance risk even if the network calls are core to the feature.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to retrieve API keys from MEMORY.md and pass them as command-line parameters. This creates a realistic secret-exposure path because keys may appear in logs, process listings, shell history, error output, or be mishandled by downstream tooling.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The mandatory packaging and transmission workflow sends all generated artifacts to Feishu by default, including location-derived files and imagery. In context, this is especially risky because the skill processes physical addresses and precise coordinates, so automatic outbound transfer can disclose sensitive user location information without granular consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal