Gaode Map Personal - 高德官方个人专属地图 Skill

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does the advertised map work, but it can share sensitive location/IP data with external services and save map QR files locally without enough user control.

Use this only for explicit map, routing, POI, or itinerary tasks. Avoid submitting sensitive home/work locations or third-party IP addresses unless the user clearly wants that lookup. Be aware that map details may go to AMap and QR payloads may go to a separate QR-code service, and delete locally saved QR images when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The demo fetches a remote QR code image from a URL returned by an API and writes it into a local workspace directory. This creates an unnecessary file-write side effect for a demo script, can expose users to unexpected local artifact creation, and trusts remote content without validation or size/type checks.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The client exposes IP geolocation via maps_ip_location, which collects and transmits IP addresses to an external API and stores the result in session_data. That capability is not clearly justified by the manifest’s stated personal-map and itinerary generation purpose, so it broadens the skill’s data collection surface and can enable unnecessary location inference of users or third parties.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: download_qr_code fetches a remote QR image and writes it to an arbitrary local path, which exceeds the manifest’s described behavior of generating/shareable map outputs. This adds local file write capability and network retrieval that could be abused by higher-level code to persist untrusted content or write to unintended locations.

Vague Triggers

High

Confidence: 89% confidence
Finding: The skill instructs agents to proactively invoke it for very broad location-, travel-, and itinerary-related topics, even when the user did not explicitly ask to generate a map. This can trigger unnecessary external API calls, data sharing, and follow-on actions such as QR generation, expanding exposure of user queries and location-related information without clear consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The instructions require downloading QR code images to the local filesystem and presenting them, but they do not require informing the user that files will be created or persisted. Silent local writes are risky because they may leave behind sensitive artifacts, violate workspace expectations, or create data-retention issues in shared or managed environments.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill offers IP-based geolocation without warning that an IP address is personal or quasi-personal data and will be sent to an external service. This is dangerous because users may unknowingly disclose location-revealing information, and operators may process regulated data without appropriate consent or transparency.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The example workflow repeatedly mandates saving downloaded QR images to local storage as part of normal operation, again without disclosure or cleanup guidance. Repetition makes this operational behavior more likely to be implemented broadly, increasing the chance of persistent artifact leakage and unauthorized filesystem modification in constrained environments.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script silently downloads a remote image and writes it to the local filesystem without prior warning or confirmation. In an agent or automation context, this kind of undisclosed network-and-file side effect can violate user expectations and increases risk from malicious or unexpected remote content.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Multiple methods send user-supplied addresses, coordinates, POI queries, route endpoints, and IP data to external AMap services without any user-facing disclosure or consent flow. Because these fields can contain sensitive location information, silent transmission creates a privacy risk that is amplified by the skill’s broad trigger conditions around travel, navigation, and nearby search.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The QR download helper writes a file to local disk without any disclosure to the user that persistent local storage will occur. Even though the content is only an image, silent file creation can violate user expectations and may create clutter or data handling issues on the host environment.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal