ClawHub

test-tt-skill

Security checks across malware telemetry and agentic risk

Overview

This Tencent Maps skill performs expected map functions, but it needs review because it can expose sensitive location data and API keys without adequate warnings.

Install only if you are comfortable sending task-related location and travel details to Tencent Maps. Use a temporary, tightly restricted Tencent Maps key, avoid sharing generated links that contain the real key, and avoid submitting home/work routes, vehicle plate numbers, private trajectory URLs, or signed data links unless necessary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list includes very broad terms such as '搜', '找', '查', '附近', and '规划', which can overlap with many ordinary conversations unrelated to map operations. Overbroad activation can cause the skill to engage unexpectedly and collect or transmit location-related queries to third-party services when the user did not intend to invoke mapping functionality.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs the agent to use web service APIs and shell curl for POI, routing, and trajectory-related features, but it does not clearly warn that user-provided addresses, coordinates, nearby-search context, and possibly trajectory data will be sent to a third-party provider. Because this skill specifically processes precise location and travel information, the missing disclosure materially increases privacy risk and can lead to unintended external sharing of sensitive data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends user-supplied search terms, precise coordinates, routes, and waypoint data to Tencent's external map API, which can reveal sensitive location and travel patterns to a third party. In a location-services skill this data flow is functionally necessary, but the code provides no explicit consent notice, minimization, or privacy guidance before transmitting potentially sensitive geolocation data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs users to provide a Tencent Maps API key and then includes that key directly in generated URLs and example curl commands. This is dangerous because API keys embedded in URLs can be exposed through browser history, logs, referrers, screenshots, shared links, and downstream telemetry, enabling unauthorized use of the key and potential billing or quota abuse.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation instructs users to provide a temporary Tencent Maps API key and send POI/location queries to an external service, but it does not include basic guidance on secure credential handling or the privacy implications of transmitting potentially sensitive location data. In a location-services skill, missing these warnings can lead to accidental key exposure in shell history/logs and uninformed sharing of user location context with a third-party API.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly encourages users to configure a Tencent Maps API key and submit precise origin/destination coordinates, but it does not warn that these route-planning requests transmit sensitive location data to a third-party provider. In a location-services skill, origin and destination pairs can reveal home, work, routines, and travel intentions, so the missing privacy notice meaningfully increases the risk of uninformed disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to send user-supplied attraction names to Tencent geocoding services and to generate a Tencent-hosted planning link, but it does not clearly warn the user that their itinerary interests will be shared with a third party. This creates a privacy and consent issue because travel plans can reveal sensitive behavioral or location preferences, and the omission is more concerning in a consumer travel-planning context where users may not expect external disclosure.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal