ClawHub

geocode

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends user-provided coordinates to a disclosed geocoding service to return a place name.

Install only if you are comfortable sending each looked-up coordinate to geocode.com.cn or to a trusted endpoint you configure with GEOCODE_BASE_URL. Avoid using it for sensitive exact locations such as a home, workplace, or real-time whereabouts unless that disclosure is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reverse command transmits precise user-supplied latitude and longitude to an external service, which is a real privacy and data-handling risk because location data can be sensitive and identifying. In this skill context, remote transmission is necessary for functionality, but the script does not provide an explicit warning, consent step, or privacy notice before sending the data.

Natural-Language Policy Violations

Low
Confidence
77% confidence
Finding
The script silently defaults to https://geocode.com.cn, a region-specific third-party provider, without clearly documenting jurisdiction, locale, or privacy implications. This increases privacy and compliance risk because users may unknowingly send location data to infrastructure operating under a specific legal and geographic context.

External Transmission

Medium
Category
Data Exfiltration
Content
## Public API Limits

- Use public endpoints only for low-frequency, interactive lookups.
- Send an identifying `User-Agent`; do not use default curl UA for repeated calls.
- Do not loop, bulk geocode, or aggressively retry against the public endpoint.

## Commands
Confidence
94% confidence
Finding
curl UA for repeated calls. - Do not loop, bulk geocode, or aggressively retry against the public endpoint. ## Commands ### Scripted Reverse Geocode ```bash {baseDir}/scripts/geocode.sh reverse 32.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal