ClawHub

Google SERP Maps Photos API

Security checks across malware telemetry and agentic risk

Overview

This is a focused API helper that sends Google Maps photo lookup parameters to Just Serp API and does not show hidden, destructive, persistent, or unrelated behavior.

Install only if you intend to use Just Serp API for Google Maps photo lookups. Keep JUST_SERP_API_KEY in the environment, avoid pasting the key into chat, and do not submit sensitive location identifiers unless you are comfortable sending them to Just Serp API for processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill clearly instructs the agent to call an external third-party API and to pass user-provided query parameters such as `data_id`, `category_id`, `language`, and `next_page_token`, but it does not explicitly warn users that these values will be transmitted off-platform to Just Serp API. This creates a privacy and data-handling risk because users may provide sensitive identifiers or location-related inputs without understanding they are being shared with an external service.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The operation sends a location identifier and related query parameters to an external third-party API, but the documentation does not disclose this data transfer or its privacy implications. In agent contexts, users may provide location-related inputs without realizing they are being shared off-platform, increasing the risk of unintended disclosure of sensitive place associations or activity patterns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal