ClawHub

Map Address Query

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised map lookup work, but users should understand it downloads a third-party CLI and stores a Tencent map API key in a persistent config file.

Install only if you trust the scottkiss/qq-map-cli GitHub release that the script downloads. Use a restricted Tencent Location Service key, protect or delete ~/.qq_map_cli_config.json when no longer needed, and avoid sending sensitive addresses or routes unless you are comfortable sharing them with Tencent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell commands and bundled scripts/binaries, but no permissions are declared to reflect that capability. This creates a transparency and policy gap: an agent or reviewer may believe the skill is only doing map lookups while it can execute local commands and trigger additional side effects such as downloads or file writes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is map/address querying, but the documented behavior also includes downloading an executable, installing/unpacking it, and platform-specific execution logic. That mismatch is dangerous because it hides a software-supply-chain and code-execution path behind a seemingly simple data-query skill.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The workflow instructs creation and reuse of a persistent config file in the user's home directory, extending the skill's scope beyond a one-off map query. Persisting data globally increases the blast radius of mistakes, can affect other sessions/projects, and may leave sensitive settings behind without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
By instructing the agent to read credentials from environment variables and home-directory config, the skill expands from map lookup into credential access and handling. Even if intended for convenience, this broadens sensitive-data exposure and can cause agents to touch secrets unrelated to the immediate user request.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script automatically downloads and installs a third-party executable from GitHub at runtime, which materially expands the skill's behavior from map lookup into software installation and code introduction on the host. Because the downloaded artifact is not integrity-pinned or signature-verified, a compromised release, redirected download, or supply-chain attack could lead to execution of untrusted code.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Introducing silent installation capability is risky because it gives the skill the ability to modify the local environment beyond its stated map-query purpose. In an agent setting, this increases attack surface and can be abused to stage arbitrary tooling under the guise of normal skill execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation directs storing the Tencent API key in a persistent home-directory config file without warning about security implications such as local disclosure, backups, or multi-user access. Persisting secrets on disk by default is risky, especially when not paired with least-privilege guidance or storage protections.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently downloads and unzips a remote binary into a local bin directory with no meaningful warning, confirmation, or provenance validation. That combination makes it easy for users or calling agents to introduce executable code without understanding the risk, and it removes a key opportunity to detect unexpected installation behavior.

Session Persistence

Medium
Category
Rogue Agent
Content
2. **Get an API Key:**
   - Visit [Tencent Location Service Console](https://lbs.qq.com/dev/console/application/mine).
   - Click "创建应用" (Create Application) and "添加key" (Add Key).
   - Copy the generated Key.

3. **Configure the Key globally:**
Confidence
74% confidence
Finding
Create Application) and "添加key" (Add Key). - Copy the generated Key. 3. **Configure the Key globally:** - **Mac/Linux**: `./scripts/bin/qq-map-cli setup --config ~/.qq_map_cli_config.json --key

Session Persistence

Medium
Category
Rogue Agent
Content
## Quick Start

- If the global config file does not exist, create one first:

```bash
# On Mac/Linux
Confidence
90% confidence
Finding
create one first: ```bash # On Mac/Linux ./scripts/bin/qq-map-cli setup --config ~/.qq_map_cli_config.json # On Windows (CMD/PowerShell) .\scripts\bin\qq-map-cli.exe setup --config %USERPROFILE%\.qq

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal