Mapbox Android Patterns

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Mapbox Android guide with expected map, token, and user-location examples, and no hidden execution or data transfer behavior.

Before using these patterns in a real app, treat the Mapbox token as a scoped app credential, avoid committing sensitive tokens, and add clear in-app disclosure and consent before enabling any user-location display or tracking feature.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs developers to request location permissions and enable the user location puck, but it does not mention privacy disclosures, purpose limitation, or obtaining informed user consent beyond the platform permission prompt. In an integration guide, this omission can normalize collecting or displaying precise location data without appropriate notice, increasing privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal