高德SKILL 美食雷达

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward restaurant-search helper that uses AMap, but users should understand that their location or landmark queries go to AMap through an external MCP server.

Before installing, verify that you are comfortable running @amap/mcp-server via npx, store the AMAP_API_KEY securely, and treat any address, landmark, or location description you provide as information sent to AMap for restaurant search.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill processes precise or approximate user location to search nearby restaurants via the external AMap service, but it does not clearly warn users that their location queries are transmitted to a third-party provider. This is a real privacy disclosure issue because users may reveal sensitive location context (home, workplace, routines) without informed consent, especially when the skill invites natural-language location sharing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal