ClawHub

Baidu Map IOS SDK(百度地图官方IOS SKills)

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a documentation/integration aid with no evidence of hidden execution, exfiltration, persistence, or destructive behavior, though its guidance should be tightened around language choice and location privacy.

This looks acceptable to install if you want map SDK guidance, but treat the location examples as incomplete: add proper iOS permission prompts and privacy disclosures before using user location, and prefer responding in the user’s language unless Chinese is requested.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill metadata and body are written to require Chinese-language interaction, which can override a user's language preference and reduce user control. This is not a code-execution issue, but it is a policy and UX safety concern because it can cause misleading or inaccessible output when the user did not opt into Chinese.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs developers to enable and display current user location via `showsUserLocation` and `updateLocationData:` but does not mention the required iOS location permission flow, privacy disclosures, or the need to obtain informed user consent before collecting and rendering location data. In a map SDK integration guide, this omission can lead downstream developers to implement location features without proper authorization handling or privacy messaging, increasing the risk of unauthorized collection or exposure of precise location data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal