ClawHub

Gaode-Map-skills

Security checks across malware telemetry and agentic risk

Overview

This map skill appears to do what it claims: it sends location searches and route requests to Gaode/AMap using the user's API key.

Install only if you are comfortable sharing map searches, addresses, coordinates, and route details with Gaode/AMap under your API key. Prefer setting AMAP_API_KEY in the environment rather than passing it on the command line, and pin requests before production or sensitive use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares required environment variables and invokes a Python script that will make outbound requests to the Gaode Map API, but it does not declare explicit permissions for those capabilities. This creates a permission-transparency gap: a user or platform may not realize the skill can access secrets from the environment and communicate over the network, which increases the risk of unintended data exposure or policy bypass.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
Confidence
98% confidence
Finding
requests

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
requests

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal