ClawHub

Google Maps Search Api Skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward BrowserAct integration for collecting Google Maps business listings, with expected API-key and network use.

Install this only if you are comfortable sending Google Maps search terms, location/business parameters, and BrowserAct API quota usage to BrowserAct. Keep the API key in an environment variable rather than pasting it into shared chats or logs, and review searches involving competitors, prospects, or sensitive locations before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill invokes Python code that uses an environment-provided API key and sends queries to an external BrowserAct service, yet it does not clearly declare corresponding permissions. This creates a transparency and policy-enforcement gap: the agent may access secrets and perform networked data transfer without an explicit permission boundary, increasing the risk of unintended external disclosure or unreviewed execution.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The proactive-trigger text is extremely broad and covers many common business/location lookup scenarios, which can cause the skill to activate in routine requests without the user realizing an external scraping/API workflow will run. In context, this is more dangerous because activation leads to code execution and third-party data transfer, not just local formatting or reasoning.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill does not warn users that their business search terms and related parameters are sent to an external API provider. This undermines informed consent and can expose potentially sensitive research intent, prospecting targets, or location-based business queries to a third party without clear notice.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal