Amap City Checkin

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a city map helper with one usability concern around overly broad activation, not evidence of harmful behavior.

Installers should be aware that casual mentions of a city could invoke the skill if the host agent follows the broad trigger wording. Prefer using it only when you clearly intend to generate a city check-in map, and review any generated shareable artifact before distributing it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill describes activation in an overly broad way: '只需说出城市名' and '当你说出一个城市名时，我会…', which can cause unintended invocation from ordinary conversation rather than a clearly intentional command. In an agent environment, broad triggers increase the chance of accidental external API calls and generation of shareable map artifacts without explicit user intent, even though the skill itself is not overtly malicious.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal