Back to skill

Security audit

高德地图 (Fangtian)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent AMap helper for user-requested China map, weather, route, and location lookups, with no hidden or destructive behavior shown.

Install only if you trust the `amap` executable you place in your PATH. Use a restricted AMap Web Service API key where possible, and avoid submitting sensitive home, work, route, taxi, itinerary, or IP details unless you are comfortable sending that data to AMap.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is broadly scoped to common requests about weather, addresses, nearby places, routes, navigation, taxis, and trips, which can cause the agent to invoke this external tool for ordinary user queries without clear user intent to use Amap. That increases the chance of unnecessary third-party data disclosure and unintended tool activation, especially because the tool sends user-provided location-related inputs to an external service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation does not disclose that user-supplied addresses, coordinates, route endpoints, nearby-search queries, trip plans, and IP addresses are transmitted to Amap's external service. In a mapping skill, this omission is particularly important because the data can be sensitive and reveal precise location, travel patterns, or identity-linked information, so users and integrators may unknowingly expose private data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.