ClawHub

Amap Search

Security checks across malware telemetry and agentic risk

Overview

This map-search skill does what it advertises, but users should understand that their map queries and API key are sent to Gaode/Amap.

Install only if you are comfortable sending map searches, addresses, coordinates, route endpoints, IP-location lookups, and your Gaode/Amap API key to Amap. Prefer using the environment variable over repeatedly passing the key on the command line, keep shell profile files private, and avoid querying sensitive home, work, medical, or travel details unless necessary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill advertises IP-based location lookup and sends location-related queries to a third-party mapping API, but it does not clearly disclose the privacy implications or what data is transmitted. Users may unknowingly expose approximate location, addresses, or coordinates to Gaode, creating privacy and compliance risk, especially in sensitive environments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends user-supplied IP addresses, addresses, coordinates, route endpoints, city names, and search keywords to Gaode's external API endpoints, but it does not provide any explicit privacy notice or consent prompt before transmitting potentially sensitive location/query data. In a location-services skill, this is a real privacy weakness because users may not realize their precise locations and travel intents are being disclosed to a third party.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends user-supplied IP data to the Amap API over the network without any explicit notice, consent flow, or minimization controls. While this is core functionality for a map lookup tool rather than obviously malicious behavior, IPs and inferred location are sensitive data and disclosure to a third party can create privacy and compliance risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
POI searches and nearby lookups transmit user-provided keywords, coordinates, city, and radius to an external mapping service with no explicit warning to the user. In a mapping skill this is expected behavior, but the data can still reveal sensitive habits, destinations, or precise whereabouts, making the issue a real privacy weakness rather than a code-execution flaw.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The geocoding function sends user-entered addresses directly to a third-party API without explicit disclosure or consent. Addresses can be highly sensitive, especially when they refer to homes, workplaces, or other private locations, so silent transmission creates privacy and potential regulatory exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal