ClawHub

Mapbox Search Integration

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Mapbox Search integration guide with some copy-paste code hardening concerns, but no hidden execution or purpose-mismatched behavior.

Safe to install as a guide. Before copying code into production, use restricted public Mapbox tokens, avoid secret tokens in client code, disclose search/location data flows, and replace innerHTML/setHTML examples with safe DOM construction or sanitization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document recommends emitting analytics events for searches, selections, and errors but does not mention user notice, consent, data minimization, or privacy controls. Even though the example avoids sending full queries, it still promotes telemetry collection behavior that could be implemented without transparency and may create privacy/compliance risk in production applications.

Unvalidated Output Injection

High
Category
Output Handling
Content
});

  // Render custom results UI
  resultsContainer.innerHTML = response.suggestions
    .map(
      (suggestion) => `
    <div class="result-item" data-id="${suggestion.mapbox_id}">
Confidence
98% confidence
Finding
innerHTML = response

Unvalidated Output Injection

High
Category
Output Handling
Content
});

function displayResults(results) {
  resultsContainer.innerHTML = results
    .map(
      (result) => `
    <div class="result" data-id="${result.mapbox_id}">
Confidence
98% confidence
Finding
innerHTML = result

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal