The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill implements a mechanism to persist the Amap Web Service Key in plain text on the local filesystem.
Evidence: The saveConfig function in index.js writes the key to a file named config.json using fs.writeFileSync.
Evidence: The readConfig and ensureWebServiceKey functions read this key for subsequent API requests.
[EXTERNAL_DOWNLOADS]: The skill specifies a dependency on the axios package with a version string that does not correspond to current stable releases.
Evidence: package.json contains "axios": "^1.13.6". The current stable versioning for axios is in the 1.7.x range, making this specified version suspicious.
Evidence: The skill fetches data from official Amap API endpoints (restapi.amap.com) and generates visualization links targeting the a.amap.com domain.
[COMMAND_EXECUTION]: The skill includes multiple executable Node.js scripts intended to be triggered by the agent.
Evidence: scripts/poi-search.js, scripts/route-planning.js, and scripts/travel-planner.js are provided to perform various mapping tasks via the command line.
[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by processing and displaying data from external API responses.
Ingestion points: Data retrieved from https://restapi.amap.com/v5/place/text (POI searches) and other route planning endpoints in index.js.
Boundary markers: No delimiters or instructions are used to distinguish external API content from agent instructions in the output logged to the console.
Capability inventory: The skill uses node to execute local scripts and has network access via the axios library.
Sanitization: Content retrieved from the Amap API is printed directly to the console or returned to the agent context without filtering or sanitization.

amap-lbs-skill