Security audit

Amap Smart Route

Security checks across malware telemetry and agentic risk

Overview

This is a coherent route-planning skill that sends entered start and destination locations to Amap using a declared API key, with no hidden code or persistence found.

Install only if you are comfortable sharing route start and destination addresses or coordinates with Amap. Use a dedicated AMAP_API_KEY with appropriate limits, monitor quota or billing, avoid highly sensitive locations, and verify the publisher if you require an official Amap-provided skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill advertises activation on very broad, everyday phrases such as asking how to get from A to B or how long it takes to go somewhere. Overly generic triggers can cause the skill to be invoked unintentionally in unrelated conversations, exposing user-provided location/address data to an external mapping API when the user did not clearly intend to use this specific skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.