Back to skill

Security audit

Google Maps Reviews Api Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Google Maps reviews integration that uses a disclosed BrowserAct API key and API calls, with privacy and consent considerations around when it is invoked.

Install this only if you are comfortable using BrowserAct to retrieve Google Maps reviews. Keep use user-directed, avoid unnecessary bulk collection of reviewer-identifying fields such as profile URLs and avatars, and make sure your use complies with applicable platform terms and privacy expectations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill requires environment access and makes external API calls, but it does not declare explicit permissions for those capabilities. That creates a transparency and governance gap: an agent may expose secrets from environment variables or perform network actions without the expected permission signaling, making review and policy enforcement harder.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill description repeatedly says the agent should proactively apply the skill for a wide range of common review-related requests. Broad activation criteria can cause the agent to invoke external tooling and transmit user queries or business targets to a third-party service when the user did not explicitly request that integration, increasing privacy, consent, and unintended-action risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.