tmap-jsapi-gl-skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This skill looks appropriate for Tencent Maps JSAPI GL development. Before installing, be aware that generated code may load Tencent-hosted JavaScript, call Tencent map/search/route services, and use your TMAP_JSAPI_KEY. Replace any demo keys with your own restricted key and verify important examples against Tencent's official documentation. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated examples may use your Tencent Maps account quota and permissions.
The skill needs a Tencent Maps API key. This is expected for its stated purpose, but it is still credential-bearing provider access.
Required env vars: TMAP_JSAPI_KEY ... Primary credential: TMAP_JSAPI_KEY
Use your own restricted Tencent Maps key, apply domain/referrer restrictions where possible, and avoid committing production keys into public code.
Apps built from these examples will depend on Tencent-hosted scripts at runtime.
The quick-start template loads Tencent's hosted JavaScript API in the browser. This is central to the map integration, but it means applications execute third-party provider code.
<script src="https://map.qq.com/api/gljs?v=3&key={TMAP_JSAPI_KEY}"></script>Only use the official Tencent Maps script URL, review provider terms/security guidance, and avoid replacing it with untrusted script sources.
If copied into an app, user map queries or location-related data may be transmitted to Tencent Maps services.
The demos show route-planning requests to Tencent APIs with coordinates. This is expected for maps functionality, but real user locations, search terms, or IP-based location requests would be sent to the provider.
var url="https://apis.map.qq.com/ws/direction/v1/driving/"; ... url+="?from=39.984039,116.307630"; ... url+="&to=39.977263,116.337063";
Disclose provider data flows to users, avoid sending sensitive locations unnecessarily, and follow Tencent Maps privacy and API-key security guidance.
Users may not be able to easily confirm that bundled docs and demos exactly match Tencent's official current documentation.
The package provenance is not linked to an official source. Because this is instruction-only with no install code, this is a provenance note rather than a security concern.
Source: unknown; Homepage: none
For production or security-sensitive work, cross-check generated code and API details against Tencent's official documentation.