Security audit

Mapbox Search Patterns

Security checks across malware telemetry and agentic risk

Overview

The skill’s location use appears relevant to its “near me” search purpose, with no evidence of hidden execution, persistence, or data exfiltration.

Before installing, confirm you are comfortable with the agent using your location for nearby searches. Prefer giving a city, ZIP code, or approximate area unless precise location is necessary, and do not allow reuse or storage of location data unless the skill clearly asks and you agree.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The workflow explicitly instructs the agent to obtain the user's location from the app or browser for a 'near me' search, but it provides no consent prompt, permission check, or minimization guidance. In a location-search skill, collecting precise location is contextually relevant, but omitting user-notice and consent cues can still lead to privacy violations or unauthorized access patterns if downstream implementations follow this guidance literally.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.