ClawHub

Map Agent - iOS LLM Agent SDK(高德官方 AI Agent Skill)

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only AMap iOS SDK skill whose location, navigation, logging, and IPC examples match its stated map-integration purpose, though production apps should add privacy and confirmation safeguards.

This appears safe to install as a documentation skill, not executable software. Before shipping code generated from it, review AMap SDK credentials, custom backend URLs, location permission prompts, IPC callback validation, authorization persistence, auto-reconnect behavior, logging/redaction, and user confirmation for navigation-changing actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The example lifecycle code calls destroy on global singleton SDK managers in viewDidDisappear, while the document itself states these singletons usually should not be destroyed when a page disappears. In an app with shared SDK usage, this can break navigation/agent functionality for other screens, create race conditions, and cause denial-of-service style reliability issues when users navigate between views.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The skill describes navigation control capabilities such as route planning, navigation commands, and control of map behavior, but does not warn that integrations may start, stop, or alter navigation state. Even if this is expected functionality, omission of an explicit warning increases the risk of unsafe or surprising actions being triggered through natural-language or agent-driven flows.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The skill describes navigation control capabilities such as route planning, navigation commands, and control of map behavior, but does not warn that integrations may start, stop, or alter navigation state. Even if this is expected functionality, omission of an explicit warning increases the risk of unsafe or surprising actions being triggered through natural-language or agent-driven flows.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document instructs implementers to collect live location and emit logs containing query summaries, actions, and session identifiers without clearly warning that these are privacy-sensitive data flows. This increases the chance that downstream developers will ship unnecessary collection or verbose logging of user movement and behavior, which can expose personal data in device logs or analytics pipelines.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The sample logs raw SDK-provided content directly with NSLog without any warning that internal logs may contain sensitive data such as tokens, location details, user queries, or IPC/debug metadata. In a mapping/agent SDK, verbose internal logs are especially likely to include privacy-sensitive context, so documentation that encourages verbatim logging can lead developers to leak data into device logs, crash reports, or external log collectors.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal