ClawHub

Didi Map JSAPI

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Didi Map JSAPI reference skill with expected map, location, routing, POI, and API-key examples, and no executable install behavior.

Safe to install as reference material. Developers using its location, routing, geocoding, or POI examples should add clear user consent, privacy notices, data minimization, logging limits, key protection, and regional compliance checks before shipping an app.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (47)

Intent-Code Divergence

Low
Confidence
97% confidence
Finding
The documentation says 关键词检索 corresponds to textSearch, but then labels 周边搜索 as inputTips and 输入提示 as aroundSearch. Later sections clearly define inputTips as 输入提示服务 and aroundSearch as 周边检索服务, so the introductory mapping contradicts the actual documented behavior.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest says the skill should automatically trigger whenever the user mentions DiMap, 滴滴地图, didi-jsapi, or related map development needs. The phrase '相关地图开发需求时自动触发' is ambiguous and lacks clear scope or exclusion conditions, which could cause unintended invocation during general discussion of maps rather than requests specifically about this JSAPI skill.

Natural-Language Policy Violations

Medium
Confidence
85% confidence
Finding
The skill metadata and content are entirely in Chinese and present the guidance as the expected interaction mode, but do not indicate that language can be adapted to the user's preference. Under the policy, forcing a specific language without user opt-in is a natural-language policy concern unless the locale restriction is clearly documented and justified.

Natural-Language Policy Violations

Low
Confidence
96% confidence
Finding
This markdown file contains the user-facing skill documentation almost entirely in Chinese, including headings, descriptions, and parameter explanations. Under the policy, forcing a specific language without user opt-in is a natural-language policy violation unless the locale restriction is clearly documented and justified, which is not present here.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
The visible user-facing documentation and parameter descriptions are written in Chinese, with no indication that language selection is optional or that the skill is intentionally region-specific. Under the natural-language policy rule, forcing a specific language without opt-in can be a locale policy violation.

Natural-Language Policy Violations

Low
Confidence
86% confidence
Finding
This markdown file uses Chinese exclusively for the skill description and parameter documentation. Under the natural-language policy rule, forcing a specific language without offering a choice or documenting a justified locale constraint can be a policy violation.

Natural-Language Policy Violations

Low
Confidence
89% confidence
Finding
This markdown file presents the skill documentation entirely in Chinese, including the main descriptive text and parameter descriptions, without indicating that the locale is intentionally region-specific or offering an alternative language. Under the stated policy, forcing a specific language without user opt-in can be a natural-language policy violation.

Natural-Language Policy Violations

Low
Confidence
85% confidence
Finding
This markdown file presents the skill documentation and user-facing descriptions exclusively in Chinese, including the control name, parameter descriptions, and trigger text. Under the policy rule for language or locale constraints, this can be a violation when no user opt-in or justification for the fixed language is provided.

Natural-Language Policy Violations

Low
Confidence
83% confidence
Finding
This markdown file presents the skill documentation and UI labels exclusively in Chinese, including headings and button text such as "开始测距" and "结束测距". Under the policy, forcing a specific language without user opt-in can be a natural-language policy violation when no alternative language or locale choice is provided.

Natural-Language Policy Violations

Low
Confidence
92% confidence
Finding
This markdown file contains user-facing documentation and examples in Chinese only, with no indication that the skill is region-specific or that alternative language support is available. Under the policy, forcing a specific language without user opt-in can be a natural-language policy violation.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
This markdown file presents the skill documentation entirely in Chinese, with no indication that users can select another language or locale. Under the policy rule for natural-language violations, forcing a specific language without opt-in can be a compliance issue.

Natural-Language Policy Violations

Low
Confidence
93% confidence
Finding
This markdown documentation presents all descriptive natural-language content in Chinese, with no indication that language selection is optional or that the skill is intentionally scoped to a Chinese-speaking audience. Under the stated policy, forcing a specific language without opt-in can be a natural-language policy violation.

Natural-Language Policy Violations

Low
Confidence
95% confidence
Finding
This markdown file contains user-facing natural-language documentation exclusively in Chinese across the body of the file. Under the stated policy, forcing a specific language without user opt-in can be a locale-policy violation unless the constraint is explicitly justified, which is not present here.

Natural-Language Policy Violations

Low
Confidence
90% confidence
Finding
This markdown file presents the skill name and usage note only in Chinese, with no indication that other languages are supported or that the locale is intentionally constrained. Under the policy, forcing a specific language without user opt-in can be a natural-language policy violation unless the restriction is clearly documented and justified.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This markdown file describes a tool for obtaining device geographic coordinates and provides usage examples, but it does not include any warning or disclosure about collecting sensitive location data. For markdown files, privacy-impacting behavior should be clearly disclosed so users understand the implications before using the skill.

Natural-Language Policy Violations

Low
Confidence
89% confidence
Finding
The natural-language description and parameter documentation are presented in Chinese only, which can amount to a language policy issue when no user opt-in or locale justification is provided. The file does not indicate that this skill is region-specific or that users may select another language.

Natural-Language Policy Violations

Low
Confidence
91% confidence
Finding
The entire skill document is written in Chinese and does not indicate any option for other languages or user-selected locale. Under the stated policy, forcing a specific language without user opt-in is a natural-language policy concern.

Natural-Language Policy Violations

Low
Confidence
86% confidence
Finding
This markdown file uses Chinese throughout its user-facing descriptions, starting with the main class summary, and does not indicate that Chinese is optional or that the document is intended only for a Chinese-language audience. Under the language/locale policy rule, forcing a single language without user opt-in can be a policy concern even in documentation files.

Natural-Language Policy Violations

Low
Confidence
94% confidence
Finding
This markdown file contains user-facing instructions and API documentation exclusively in Chinese, and there is no indication that the skill is region-specific or that users can choose another language. Under the policy rule for natural-language constraints, forcing a single language without opt-in can be a locale-policy violation.

Natural-Language Policy Violations

Low
Confidence
93% confidence
Finding
This markdown file is natural-language documentation, and its user-facing content consistently forces a single language/locale. Under the policy rule, language constraints should either be optional for the user or clearly justified as region-specific; neither is present here.

Natural-Language Policy Violations

Low
Confidence
96% confidence
Finding
This markdown file uses Chinese throughout its headings and descriptions, which effectively forces a specific language for users consuming the skill documentation. Under the policy, language restrictions should either offer user choice or be clearly justified as region-specific.

Natural-Language Policy Violations

Low
Confidence
89% confidence
Finding
The file’s user-facing documentation is written entirely in Chinese in headings and parameter descriptions, with no indication that alternative languages are available or that the locale is intentionally constrained. Under the policy rule, forcing a specific language without user opt-in can be a natural-language policy violation.

Natural-Language Policy Violations

Low
Confidence
92% confidence
Finding
This markdown file presents the skill documentation entirely in Chinese, including headings and method descriptions, without indicating that the locale is optional or region-specific. Under the policy rule, forcing a specific language without user opt-in can be a natural-language policy violation.

Natural-Language Policy Violations

Low
Confidence
96% confidence
Finding
This markdown file presents all user-facing descriptions and parameter documentation in Chinese only. Under the stated policy, forcing a specific language without offering a language or locale choice is a natural-language policy violation unless the locale constraint is clearly documented and justified, which is not present here.

Natural-Language Policy Violations

Low
Confidence
89% confidence
Finding
This markdown file contains user-facing instructional content exclusively in Chinese, including the title description and parameter explanations. Under the policy rule for language/locale, forcing a specific language without opt-in can be a natural-language policy violation when no choice or justification is provided.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal