Security audit

AMap Map Google Maps Migration

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Google Maps to AMap migration guide with disclosed public test keys and geolocation caveats, not evidence of hidden or destructive behavior.

Install only if you want AMap migration help. Treat embedded keys as public test credentials, verify them with AMap, and create your own restricted keys for production. Be especially careful with geolocation: avoid IMEI or MAC collection unless strictly necessary, obtain user consent, minimize retained data, and prefer HTTPS-capable endpoints.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The document claims to be self-contained reference material, but it includes live third-party script tags and a working public AMap key. That encourages consumers to copy production-capable external dependencies directly from documentation, which creates supply-chain and credential-exposure risk rather than providing inert reference content.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documentation embeds a live reusable AMap API key directly in an example URL, turning a migration guide into a distribution channel for a credential. Even if intended as a public/demo key, publishing it encourages uncontrolled third-party use, quota theft, abuse attribution, and potential downstream misuse from anyone who copies the example verbatim.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The geolocation section documents transmission of device-level identifiers including IMEI, WiFi MACs, and cell tower data, which are highly sensitive and can enable device tracking or location inference. In a general Google Maps migration skill, this materially expands the data-sensitivity profile without strong necessity, privacy guardrails, or minimization guidance.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The markdown exposes a hard-coded AMap API key in example URLs with no warning that readers should not reuse embedded credentials. Even if intended as a public/demo key, publishing reusable credentials in copy-paste snippets invites unauthorized use, quota exhaustion, attribution to the wrong account, and downstream embedding into shipped applications.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation references sensitive identifiers for geolocation but provides no warning about consent, legal basis, data handling, or privacy risk. That omission can lead developers to collect and transmit regulated device/location data in ways that violate user expectations, platform policies, or privacy laws.

Ssd 3

Medium

Confidence: 86% confidence
Finding: By providing concrete parameter mappings for sending IMEI, WiFi MACs, and cell tower identifiers to a geolocation service, the skill lowers the barrier to implementing sensitive device tracking workflows. In this context, the migration helper normalizes collection of high-risk identifiers without equivalent safeguards, making misuse easier.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.