ClawHub

Broadbandmap Cell Coverage

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it looks up cell coverage by sending a user-provided location to external mapping and coverage APIs.

Install only if you are comfortable sending searched addresses or precise latitude/longitude to OpenStreetMap Nominatim and the configured BroadbandMap-style API. If you use BROADBANDMAP_API_KEY or --api-key, keep the default endpoint or another trusted endpoint, because custom base URLs will receive that credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes a Python script that performs outbound API calls and can read an API key from the environment, but the skill metadata does not declare corresponding permissions or capabilities. This creates a transparency and governance gap: operators and users may approve or run the skill without realizing it can access network resources and environment-sourced secrets.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill supports address-based lookups via Nominatim geocoding and then queries an external coverage API, but it does not warn that user-supplied location data will be transmitted to third parties. Precise addresses and coordinates are sensitive location information, so the omission can lead to unconsented disclosure of user data and privacy/compliance issues.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends precise user-supplied address or latitude/longitude data to third-party services: Nominatim for geocoding and a configurable BroadbandMap API for coverage lookup, but the code contains no consent gate, disclosure, redaction, or minimization. Because location data can be highly sensitive and the skill is explicitly designed to query external public APIs, users may unknowingly expose home or current-location information to external operators and any configured backend.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal