CoreLocationCLI

Security checks across malware telemetry and agentic risk

Overview

This skill clearly documents a macOS command that prints the device's location, which is sensitive but aligned with its stated purpose.

Install only if you are comfortable with your terminal or agent session seeing your Mac's current location. Verify the Homebrew cask/upstream project before installing, avoid running it in shared logs or screenshots, and use --watch only when continuous location updates are needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly collects and prints the device's physical location, but the description and surrounding documentation do not prominently warn users about the privacy sensitivity of that data or the risk of exposing it in terminal logs, shell history, screenshots, or downstream automation. Because precise location is highly sensitive personal data, omission of a clear privacy warning can lead to inadvertent disclosure even if the tool's functionality is legitimate.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal