Security audit

Mapbox Store Locator Patterns

Security checks across malware telemetry and agentic risk

Overview

This is a Mapbox store-locator guide with no hidden installer, but its examples need privacy notices and safer HTML handling before production use.

Before installing or using this skill, treat the snippets as patterns rather than production-ready security code. Add a clear 'Use my location' action, explain why location is needed, disclose that directions may send coordinates to Mapbox, avoid retaining precise coordinates unnecessarily, use restricted Mapbox tokens, and replace raw HTML popup/list rendering with textContent, DOM construction, or a trusted sanitizer for any store data that could come from users, CMSs, feeds, or partners.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The guidance encourages collecting precise geolocation and using it for distance calculation and directions, but it does not advise implementers to present a clear privacy notice or explain that coordinates may be sent to third-party services. In this context, user location is sensitive data, and the later directions example transmits origin/destination coordinates to Mapbox, so omission of disclosure and consent guidance can lead to privacy-harming implementations.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The example inserts dynamic store properties directly into Popup.setHTML(), which will render the values as HTML. If any property such as name, address, or phone can come from an untrusted source, an attacker could inject script-capable markup or malicious HTML, leading to DOM-based XSS in the application using this pattern. Because this is sample code in a reusable skill, it is likely to be copied into production and the lack of escaping guidance increases the risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This second example again passes dynamic feature properties into Popup.setHTML() without escaping or sanitization. In a store-locator context, these values often originate from CMS, partner feeds, or uploaded location data, so rendering them as HTML can enable stored or reflected XSS against end users viewing the map.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.