Skills
skills/tencentlbs/tencentmap_jsapi_skills/tmap-jsapi-gl/Gen Agent Trust Hub

tmap-jsapi-gl

Pass

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill loads several external JavaScript libraries and resources necessary for map rendering and data visualization.
  • Scripts are loaded from map.qq.com, mapapi.qq.com, and lbs.gtimg.com, which are domains associated with the author (TencentLBS).
  • Example: https://map.qq.com/api/gljs?v=1.exp&key=OB4BZ-D4W3U-B7VVO-4PJWW-6TKDJ-WPB77 found in multiple demo files.
  • It also references an external test server for WMS layers at ahocevar.com (associated with the well-known OpenLayers project).
  • [CREDENTIALS_UNSAFE]: Multiple demo files include a hardcoded API key used to authenticate requests to the Tencent Maps service.
  • Evidence: key=OB4BZ-D4W3U-B7VVO-4PJWW-6TKDJ-WPB77 found in references/visualization/demos/2D经典热力.html and other demo files.
  • Context: This is identified as a public demo key provided by the vendor for trial and demonstration purposes in their official documentation.
  • [REMOTE_CODE_EXECUTION]: The skill utilizes JSONP (JSON with Padding) to fetch data from the Tencent Maps WebService API, which involves dynamic script creation.
  • Files like references/jsapigl/demos/折线_折线应用:路线规划.html use a jsonp_request function to dynamically create and append script tags to the document.
  • This pattern is used exclusively to load geospatial data (such as route coordinates) from the vendor's official API domain (apis.map.qq.com).
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 11, 2026, 02:30 AM