Security audit

Mapbox Google Maps Migration

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Mapbox migration guide, with no hidden execution or data collection, but users should handle copied token and popup examples carefully.

Safe to install as a migration reference. Before copying examples into production, use scoped public Mapbox tokens in browser code, keep secret tokens server-side, and avoid rendering untrusted popup content with setHTML unless it is sanitized.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The example assigns a Mapbox access token directly in client-side source code without any accompanying guidance on token scoping, domain restrictions, or the fact that public tokens must be treated differently from secret tokens. In a migration skill, readers may copy this pattern verbatim and accidentally expose overly permissive credentials or normalize insecure token handling.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal