google-maps-contact-extract

Fail

Audited by Snyk on Jul 9, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.90). This skill is explicitly designed to harvest contact data (emails, phones, social profiles) at scale from Google Maps and business websites and even includes guidance to evade anti-scraping—behavior that enables large‑scale data harvesting and potential abuse (spam, unsolicited outreach).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.85). Yes—during the required “website contacts” step, scripts/extract-contacts.py reads document.documentElement.innerHTML / document.body.innerText from each business’s homepage and contact/about subpages (outsider-authored web page text) and returns extracted strings into the agent’s runtime context.

Issues (2)

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jul 9, 2026, 11:21 AM
Issues
2
Security Audit — snyk — google-maps-contact-extract