baidu-maps-poi-ai-search

Security checks across malware telemetry and agentic risk

Overview

This Baidu Maps search skill does what it says, but it needs review because it can log sensitive search or location details and possibly an API key.

Install only if you are comfortable sending Baidu Maps your search terms, regions, and optional coordinates. Prefer setting BAIDU_AK as an environment variable rather than passing an 'ak' field in JSON, and avoid sensitive searches or precise home/work coordinates unless the logging behavior is removed or redacted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation tells users to configure BAIDU_AK but does not clearly disclose that user-entered search queries, regions, and possibly precise center coordinates are transmitted to Baidu Maps. This is a privacy/transparency issue because users may provide sensitive location intent or geographic data without realizing it is sent to a third party.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script logs the fully parsed request body to stderr, which may include sensitive values such as the provided ak API key as well as user queries and locations. In many agent or server environments, stderr is centrally collected and retained, turning this into a credential and privacy leakage issue.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal