ClawHub

baidu-map-jsapi-three

Security checks across malware telemetry and agentic risk

Overview

This appears to be a benign documentation skill for building MapV-Three GIS applications, with a small documentation safety caveat around HTML examples.

Safe to install as a MapV-Three reference skill. When using its popup, DOM overlay, or DOMPoint examples, do not insert untrusted GeoJSON/CSV/API fields into innerHTML or HTML string properties without escaping or sanitizing them, and keep map service API keys scoped and private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The DOMPoint example assigns untrusted data fields directly into `innerHTML`, which can lead to DOM-based XSS if `name` or `description` contains HTML or script-bearing payloads. Because this is documentation, the risk is indirect but real: developers may copy this pattern into production GIS apps that render user-controlled map annotations or POI metadata.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly demonstrates assigning raw HTML strings to `popup.title` and `popup.content`, including use of `innerHTML`, without any warning or sanitization guidance. In a Web-GIS/UI library, developers commonly bind popup content to user- or data-driven values, so these examples can directly encourage DOM-based XSS if untrusted input is rendered.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal