Back to skill

Security audit

Google Maps Api Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed BrowserAct Google Maps scraping helper that uses an API key to collect business listings, with no hidden local access, persistence, or destructive behavior found.

Install only if you intend to use BrowserAct for Google Maps data collection. Keep the BrowserAct API key in environment configuration rather than pasting it into chat, confirm before broad or recurring lead-generation runs, and consider privacy, terms-of-service, and compliance constraints when collecting phone numbers or business contact data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares required environment variables and invokes a Python script that will make outbound API requests, but there is no explicit permissions declaration covering access to secrets and network use. This creates a governance gap: an agent may expose or use sensitive credentials and perform external data transfers without clear user-visible consent boundaries.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest encourages the agent to proactively trigger the skill for a very broad set of common research and lead-generation tasks. That can cause over-triggering, sending user queries to an external scraping API without sufficiently specific user intent or consent, especially for requests that could be handled locally or more safely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.