ClawHub

Citywalk Map

Security checks across malware telemetry and agentic risk

Overview

This is a normal route-map generator, but users should treat route coordinates and shared screenshots as potentially sensitive location data.

Install if you are comfortable using public mapping, routing, tile, and optional weather services with your route coordinates. Avoid private home/work itineraries unless you self-host or configure trusted services, serve only a dedicated output folder on localhost for screenshots, and share map screenshots only intentionally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that the tool uses OSRM and Nominatim, but does not clearly warn that user-supplied coordinates, route points, and possibly place queries are transmitted to third-party services. In a location-mapping skill, this can expose sensitive travel patterns, home/work locations, or other private geographic data to external operators without informed user consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented screenshot workflow serves generated content over a local HTTP server and then instructs sending the screenshot to Feishu, but it does not warn users that the rendered page may contain sensitive route, location, or personal itinerary data. Even though the server binds locally by default in many environments, exposing content via an HTTP server and exporting the resulting screenshot to an external platform creates an unnecessary data-exposure path if users process private locations or internal travel plans.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal