SmartRoute - Google Routes Calculator

Security checks across malware telemetry and agentic risk

Overview

This routing skill is purpose-aligned and disclosed, with only minor accuracy/documentation issues around route mode and locale handling.

Install only if you are comfortable sending route origins and destinations to Google and printing them in command output. Use a restricted Google Cloud API key limited to Routes API, monitor quota and billing, and be aware that non-driving modes may still produce a driving-mode Google Maps link.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 81% confidence
Finding: The documented behavior does not fully match the implemented behavior: undisclosed support for non-driving modes, forcing a Google Maps link to driving mode, and an undisclosed es-419 languageCode can mislead users and downstream agents about what data is being requested and returned. In a routing skill, this can cause incorrect transportation guidance, user confusion, and privacy/compliance issues because location data is sent under conditions the user was not clearly told about.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal