Back to skill
Skillv1.0.2
VirusTotal security
tmap-lbs-service · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:46 AM
- Hash
- 95d285a382a62122e729108b12dc7b7729ffbaa3743fd704e695f3fa0834d8e5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tmap-lbs-service Version: 1.0.2 The skill bundle contains instructions in 'references/scene2-nearby-search.md' and 'references/scene5-travel-planner.md' that direct the AI agent to embed the user's Tencent Map API Key (stored in the TMAP_LBS_CONFIG environment variable) into plaintext URLs returned to the user. This practice exposes sensitive credentials in the chat interface, logs, and browser history. While this appears to be a functional requirement for the specific Tencent Map web interface used by the skill, it constitutes a credential leak vulnerability. The core logic in 'index.js' and the use of 'node -e' or 'curl' commands are consistent with the stated purpose of providing location-based services via official Tencent API endpoints (apis.map.qq.com).
- External report
- View on VirusTotal