baidu-map-jsapi-gl

Security checks across malware telemetry and agentic risk

Overview

This appears to be a Baidu Maps WebGL documentation skill with no evidence of hidden execution, persistence, credential access, or malicious behavior.

Reasonable to install as a documentation skill. When copying the custom overlay example, treat title, description, image URL, or other dynamic fields as untrusted unless you control them; prefer DOM APIs like textContent and safe URL validation over raw innerHTML.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The example constructs HTML with template literals that interpolate `this.properties.imgSrc`, `title`, and `desc` directly into `innerHTML` without escaping or sanitization. If developers copy this pattern with user-controlled or external data, it can lead to DOM-based XSS in the application using the overlay, and the map/UI context makes the pattern especially likely to be reused in production code.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The documentation presents a copy-pastable snippet that inserts unescaped dynamic values into HTML but does not mention XSS risk or trust boundaries. In a developer skill/documentation context, unsafe examples are influential: they can propagate insecure coding practices into applications that render attacker-controlled map card content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal