ClawHub

mapbox

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Mapbox helper with expected, safety-conscious token guidance and no executable behavior.

Safe to install as a Mapbox guidance skill. Use scoped Mapbox tokens, restrict browser tokens by allowed URLs when possible, keep secret tokens server-side, and avoid pasting private tokens into chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Credential Access

High
Category
Privilege Escalation
Content
1. Confirm the runtime first: plain HTML, Vite, React, Next.js, or another framework.
2. Confirm which Mapbox surface is involved: GL JS map rendering, styles, tilesets, geocoding, directions, or static images.
3. Start with the smallest working map before adding custom sources, layers, controls, or API calls.
4. Keep access tokens out of source files and examples unless the user explicitly wants a local-only demo.
5. For bugs, isolate whether the failure is in container sizing, token/scopes, style/source IDs, coordinate order, or layer order.

## Implementation Guardrails
Confidence
70% confidence
Finding
access tokens

Credential Access

High
Category
Privilege Escalation
Content
- Add sources before layers, and keep layer IDs stable so updates are easy.
- Prefer GeoJSON for lightweight overlays; move to vector tiles or tilesets for larger datasets.
- In React or other SPA frameworks, remove the map instance during teardown to avoid leaks.
- Treat the access token as configuration. Read it from environment or runtime config instead of hardcoding it.

## Common Failure Checks
Confidence
70% confidence
Finding
access token

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal