ClawHub

Amap Map

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Amap/Gaode Maps API skill, with expected privacy considerations around sending map searches and route locations to Amap.

Install only if you are comfortable using an Amap Web Services API key and sending map queries, addresses, coordinates, and route endpoints to Amap. Use a dedicated key, monitor quota usage, and avoid submitting sensitive home, workplace, or real-time travel details unless that sharing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger conditions are broad enough to overlap with common user intents such as asking about routes, nearby places, or address conversion, increasing the chance of automatic invocation without clear user intent. In this skill's context, misfires can send sensitive location or destination data to an external API and consume quota unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill handles highly sensitive location data, including precise coordinates, addresses, nearby searches, and routes, yet the documentation does not clearly notify users that these inputs are transmitted to the Amap external API. This omission weakens informed consent and increases privacy risk, especially because route and nearby-search requests can reveal habits, home/work locations, or real-time movement.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill sends user-provided keywords, addresses, and precise coordinates directly to the external AMap service, but the CLI usage text does not clearly warn users that their search terms and location data leave the local environment. This can expose sensitive location or destination information, especially for home, workplace, or real-time routing queries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal