Mapbox Data Visualization Patterns

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Mapbox visualization skill; its main caveat is a popup example that should be sanitized before use with untrusted map data.

Install this if you want Mapbox visualization guidance. When adapting the examples, treat feature properties and external map data as untrusted: avoid inserting them into setHTML directly, prefer DOM/textContent-based popups or robust sanitization, and keep any Mapbox tokens and data endpoints properly scoped.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The popup example builds HTML with unescaped feature property keys and values and passes it to setHTML(), which can lead to DOM-based XSS if any property contains attacker-controlled markup or scriptable content. In a map visualization context, feature data often comes from external GeoJSON, tilesets, or APIs, so treating those values as trusted is unsafe.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal