Security audit

tmap-jsapi-gl-skill

Security checks across malware telemetry and agentic risk

Overview

This is a Tencent Maps JavaScript GL reference skill with expected map-service examples, but users should handle API keys and location-related data carefully.

Reasonable to install for Tencent Maps JSAPI GL development. Use a Tencent Maps key restricted by domain and service scope, do not reuse bundled demo keys, and add clear notices or explicit clicks before sending IP addresses, coordinates, search terms, addresses, or route queries to Tencent services in any app built from these examples.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill’s trigger description is extremely broad, covering nearly any Tencent map, JSAPI, or general map-development mention, which can cause the skill to activate in contexts where it is not actually needed. Overly broad auto-triggering increases the chance that unrelated tasks get routed through this skill, leading to unnecessary exposure of environment requirements and inappropriate guidance contamination in adjacent workflows.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The page embeds a third-party Tencent Maps GL script with a visible API key, which exposes the key to anyone who can view the source and causes an automatic outbound request to an external service without any disclosure. Even if the key is intended for browser use, exposed keys can be abused unless tightly restricted, and undisclosed third-party loading creates privacy and supply-chain risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The page calls locate() automatically on load, which triggers an IP-based geolocation request before the user clicks the search button or receives a meaningful consent prompt. Even though IP-derived location is less precise than GPS, it still processes personal data and can surprise users, creating privacy, compliance, and trust risks in a demo that developers may copy into production.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The example embeds a third-party script from map.qq.com with an API key directly in the document, causing client browsers to make external requests and exposing the key in page source, network logs, and potentially referer-linked telemetry. In a documentation skill, omitting any warning about third-party network access and key handling can lead users to copy insecure patterns into production code.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The asynchronous example dynamically injects a remote script URL containing an API key and callback, which both triggers external network activity and normalizes a pattern of loading executable third-party code at runtime without integrity or trust guidance. This is dangerous in documentation because readers may reuse it verbatim, exposing their own keys and increasing supply-chain/script-injection risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal