amap
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches mapping, weather, and location data from the official Amap (Gaode Maps) Web Service API endpoints at restapi.amap.com.
- [COMMAND_EXECUTION]: Uses the curl utility to interact with external APIs, employing environment variables to handle sensitive authentication keys.
- [PROMPT_INJECTION]: Identifies a surface for indirect prompt injection and potential command injection through the interpolation of untrusted user inputs into shell commands.
- Ingestion points: User-provided parameters such as keywords, city codes, and addresses are ingested into shell-executed curl commands.
- Boundary markers: No explicit delimiters or instructions are provided to the agent to treat interpolated variables strictly as data.
- Capability inventory: The skill utilizes curl within a shell environment to perform network operations.
- Sanitization: There is no logic within the skill instructions to sanitize or escape user-provided strings before they are embedded in executable commands.
Audit Metadata