Security audit

GeoInfer Image Geolocation

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent GeoInfer image-geolocation helper, but users should understand that selected images are sent to an external API for analysis.

Install only if you are comfortable sending the specific images you choose to GeoInfer. Avoid using it on private, confidential, or unauthorized images unless you have approval, and keep the GEOINFER_API_KEY in your environment rather than pasting it into chat.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill encourages passing local image files to a third-party geolocation API but does not clearly warn users that image contents will leave the local environment for external processing. This can expose sensitive visual data, including private locations, faces, documents, or operational context, especially in OSINT or investigative workflows where images may be confidential.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal