Back to skill
Skillv1.0.12
VirusTotal security
tmap-test · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:45 AM
- Hash
- 35bb3bd575a770ebee0d77a2ef08c34acb8619edc40c0ca852ff975d2f416894
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tmap-test Version: 1.0.12 The skill bundle implements Tencent Maps LBS services but utilizes high-risk execution patterns by instructing the AI agent to perform shell commands (`curl`) and execute arbitrary Node.js code (`node -e`) via markdown instructions (e.g., in `scene2-nearby-search.md` and `scene3-poi-search.md`). While these capabilities are used to interact with legitimate Tencent API endpoints (apis.map.qq.com), the reliance on the agent to construct and execute shell strings from user-provided input (like locations or keywords) creates a significant vulnerability for command injection. No evidence of intentional data exfiltration or malicious backdoors was found, but the execution model is inherently risky.
- External report
- View on VirusTotal