Back to skill

Security audit

Map RTOS SDK - 高德官方嵌入式地图 SDK Skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only map SDK integration skill; its location, activation, and network examples fit the stated purpose but should be reviewed for normal app privacy requirements before reuse.

Safe to install as a documentation skill. Before using generated code, keep real AMap keys out of prompts, obtain SDK files from a trusted source, verify activation/network endpoints, add proper location permission and privacy notices, and review region settings and cleanup behavior before shipping.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document states that map resources are destroyed in `deinit`, but the shown `deinit` only logs a message and does not call `destroyMapView`. This mismatch can cause developers to rely on automatic cleanup that never happens, leading to resource leaks, stale rendering handles, or undefined SDK behavior if views are repeatedly created and destroyed.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad, common terms that can cause the skill to activate outside its intended RTOS map SDK context. Over-broad activation can inject irrelevant or misleading technical guidance into unrelated conversations, increasing the chance of unsafe developer actions or context confusion, especially because this skill contains detailed implementation instructions and code examples.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The sample automatically reads and uses real location data (`engineLocation`) and registers for location updates without documenting user consent, permission prompts, or privacy disclosures. In a location/map SDK integration guide, this can lead developers to implement tracking flows that violate platform privacy requirements and user expectations, increasing compliance and privacy risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs developers to use `identifierForVendor` as a device ID and to perform online device activation, but it does not disclose that this identifier may be transmitted to a remote service or discuss consent, retention, or privacy implications. In an SDK integration guide, this omission can lead downstream apps to collect and send device-linked identifiers without transparency or privacy review.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The guide hard-codes activation parameters such as `.area = "mainland"` and `.country = "cn"` without explaining why these values are required or warning that they may affect routing, legal compliance, data handling, or user expectations. Forcing a region-specific configuration in a reusable SDK integration can cause incorrect service behavior or unintended data jurisdiction issues when used outside the intended market.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.