ClawHub

Google Maps Search Api

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises: it sends Google Maps search parameters to BrowserAct and prints business search results.

Install only if you are comfortable sending Google Maps search terms and task parameters to BrowserAct and using a BrowserAct API key that may consume account credits. Prefer setting BROWSERACT_API_KEY as an environment variable instead of pasting it into chat, and review sensitive lead-generation queries before running the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest uses broad trigger phrases like finding businesses and says the skill should be proactively applied, which increases the chance of automatic invocation on ordinary user requests. In this context, that is risky because the skill sends search queries to a third-party API and may do so without clear, case-specific user consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The description omits a clear disclosure that user search terms, language/country settings, and lead-generation queries are sent to BrowserAct. Because the skill is designed for business data extraction and proactive use, this lack of notice materially increases privacy and consent risk for users who may not realize their request is being shared with an external service.

External Transmission

Medium
Category
Data Exfiltration
Content
# 1. Start Task
    try:
        res = requests.post(f"{API_BASE_URL}/run-task-by-template", json=payload, headers=headers).json()
    except Exception as e:
        print(f"Error: Connection to API failed - {e}")
        return None
Confidence
89% confidence
Finding
requests.post(f"{API_BASE_URL}/run-task-by-template", json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal