address-extractor

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: parse Chinese addresses and optionally send address queries to AMap for coordinates, with privacy caution for real addresses.

Install only if address parsing and optional AMap geocoding fit your use case. Use the skill without an AMap API key for local parsing only, and enable geocoding only when you have permission to send the relevant address data to AMap.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs users to send address text to the AMap geocoding API but does not warn that the submitted address may contain personal or sensitive location information that will be shared with a third party. In the stated contexts—customer information management, logistics, GIS—this can expose private addresses and associated personal data without informed consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code sends user-supplied address content to the external Amap geocoding API, and those addresses may include personal data such as home addresses, phone-associated contact text, or workplace details. In this skill's context, that external transmission is core functionality, but the lack of explicit consent, disclosure, data minimization, or privacy controls creates a real privacy and compliance risk rather than a purely theoretical issue.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal