ClawHub

tencentmap-lbs-skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Tencent Maps helper, with normal cautions around sharing location data, API keys, and track-data links with a third-party map service.

Install only if you trust the npm CLI package and are comfortable using Tencent Maps for these tasks. Use a restricted Tencent Maps key where possible, avoid submitting precise private home/work routes, and use only public or sanitized track JSON URLs rather than signed, internal, or secret-bearing links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes very common verbs and phrases such as '搜', '找', '查', '附近', '周边', '路线', and '规划', which can match a wide range of ordinary user requests outside the intended Tencent Maps scope. In an agent environment, this can cause over-activation of the skill, leading to unnecessary tool use, unintended data sharing to external map services, and confusion when the agent routes unrelated tasks into this skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation guidance says to use the skill whenever a user wants to search addresses, places, nearby information, or plan routes, but it does not clearly bound when the skill should not be used. This ambiguity increases the chance that the agent invokes the skill for loosely related requests, potentially sending user queries to external APIs or prompting for API-key setup when the task could have been handled without the skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to place a user-supplied data URL directly into a Tencent Maps visualization link without warning that the original URL will be disclosed to Tencent and anyone who receives the generated link. If users provide private, signed, internal, or sensitive URLs, this can leak data source locations, access tokens embedded in URLs, or internal infrastructure details to a third-party service and downstream viewers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal