ClawHub

Amap Search Skill

Security checks across malware telemetry and agentic risk

Overview

This is a normal Gaode/Amap map lookup skill, but it sends map queries and location-related inputs to Amap services.

Install only if you are comfortable sending your Amap API key plus searched addresses, coordinates, route endpoints, city names, and IP-location lookups to Gaode/Amap. Use a revocable API key and avoid submitting sensitive exact home, work, or travel details unless needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation indicates use of environment variables and outbound network access, but no permissions are explicitly declared. This creates a transparency and consent gap: users and platforms may not realize the skill reads secrets from the environment and sends requests to an external API. In a mapping skill this behavior is expected, but undeclared capabilities still increase risk because they affect trust, reviewability, and policy enforcement.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes IP-based geolocation without clearly warning that use of this feature discloses the user's IP-derived location context to Gaode's external service. Even though IP lookup is core functionality for this skill, the omission matters because IP and location data are privacy-sensitive and users may not expect third-party processing from a simple command example. The skill context makes this more concerning because location tools inherently handle sensitive personal data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal