.Gaodemapskill.Conflict

Security checks across malware telemetry and agentic risk

Overview

This Gaode Map skill does what it claims, but searches, addresses, coordinates, route details, and the API key are sent to AMap to provide results.

Install only if you are comfortable sending map queries and route locations to Gaode/AMap. Avoid using highly sensitive home, workplace, or operational locations unless needed, and store the `AMAP_API_KEY` in the environment rather than passing it on the command line.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description and usage text do not warn users that place-search queries, addresses, coordinates, and route-planning inputs are sent to the external Gaode Map API. Because these inputs can contain sensitive location information, omission of a disclosure undermines informed consent and may cause inadvertent sharing of personal or operationally sensitive data with a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal