ClawHub

Mapbox MapLibre Migration

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only migration guide whose Mapbox token and API examples match its stated purpose, with privacy considerations users should review before copying the examples.

Safe to install as a guide. Before applying it, confirm you want to adopt Mapbox, review Mapbox pricing and privacy terms, restrict public tokens by domain, keep tokens out of git, and add user notice or consent where your app sends addresses, searches, routes, or precise locations to Mapbox.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples instruct users to send addresses and precise coordinates to Mapbox APIs, which transmits potentially sensitive query and location data to a third party. In documentation, this is a real privacy/security issue when no warning, consent guidance, or data-handling note is provided, because developers may copy the pattern directly into production without considering user disclosure obligations.

External Transmission

Medium
Category
Data Exfiltration
Content
```javascript
// Geocoding API - Convert addresses to coordinates
const response = await fetch(
  `https://api.mapbox.com/search/geocode/v6/forward?q=San+Francisco&access_token=${mapboxgl.accessToken}`
);

// Directions API - Get turn-by-turn directions
Confidence
88% confidence
Finding
https://api.mapbox.com/

External Transmission

Medium
Category
Data Exfiltration
Content
// Directions API - Get turn-by-turn directions
const directions = await fetch(
  `https://api.mapbox.com/directions/v5/mapbox/driving/-122.42,37.78;-122.45,37.76?access_token=${mapboxgl.accessToken}`
);

// Isochrone API - Calculate travel time polygons
Confidence
90% confidence
Finding
https://api.mapbox.com/

External Transmission

Medium
Category
Data Exfiltration
Content
// Isochrone API - Calculate travel time polygons
const isochrone = await fetch(
  `https://api.mapbox.com/isochrone/v1/mapbox/driving/-122.42,37.78?contours_minutes=5,10,15&access_token=${mapboxgl.accessToken}`
);
```
Confidence
90% confidence
Finding
https://api.mapbox.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal