Baidu Map JSAPI UI Kit（百度地图官方 JSAPI UI-Kit SKills）

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Baidu Maps UI Kit skill with expected API-key and location-query considerations, but no executable or hidden behavior was found.

Before installing or using this skill, make sure your app has a valid Baidu Maps API key and gives users appropriate notice or consent before sending search terms, coordinates, waypoints, place names, or POI identifiers to Baidu-backed map services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation shows how to submit route-planning requests containing sensitive location data such as start/end coordinates, waypoint coordinates, place names, and POI UIDs, but it does not disclose that these values are transmitted to Baidu Map services. This omission can cause developers to integrate the component without providing user notice, consent, or data-handling safeguards for potentially sensitive geolocation information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal