ClawHub

Google Maps Leadgen

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it uses a configured Google Maps MCP server to build lead lists, export files, and optionally send them when requested.

Install only if you trust the configured google-maps MCP server and can manage Google Maps API quota or billing. Store exports in a deliberate folder, do not commit API keys or lead files, and verify the recipient/channel before sending CSV or XLSX files through chat or Telegram.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs network access to a self-hosted MCP server, file export to CSV/XLSX, and chat-based file delivery, which together imply network and file-write capabilities despite no declared permissions. This mismatch weakens security review and consent boundaries because an agent may invoke sensitive capabilities without explicit, least-privilege disclosure to users or the platform.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation description is broad enough to match generic lead-generation or enrichment requests, which can cause the skill to activate in situations the user did not clearly intend. In this context, over-broad triggering is riskier because the skill can perform networked data collection, enrichment, deduplication, and file export, potentially gathering or transmitting business contact data unnecessarily.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs sending lead files in chat or Telegram but does not require a privacy, consent, or destination-verification check before transmission. Because exported lead files may include personal or regulated business contact information, this creates a meaningful risk of data leakage, misdelivery, or non-compliant sharing through third-party messaging channels.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal