tmap-lbs-skills
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill provides documentation in several reference files (e.g.,
references/scene2-nearby-search.mdandreferences/scene5-travel-planner.md) that instruct the agent to execute shell commands (curl) with parameters directly substituted from user input, such as location names or addresses. If the agent does not perform strict sanitization, this pattern creates a risk of command injection where a user could provide shell metacharacters (e.g.,;,$(), or backticks) to execute unauthorized commands on the underlying system. - [CREDENTIALS_UNSAFE]: Multiple reference documents (e.g.,
references/scene2-nearby-search.md) advise the agent to generate and return URLs to the user that contain theTMAP_WEBSERVICE_KEYas a plaintext query parameter. Including sensitive API keys in URLs is an unsafe practice as it exposes the credentials in browser history, server-side logs, and HTTP Referer headers when the user clicks the link. - [SAFE]: The primary logic implemented in
index.jscorrectly utilizes environment variables (process.env.TMAP_WEBSERVICE_KEY) for credential management and employsencodeURIComponentfor parameter serialization, which is a secure method for handling network requests compared to the manual shell templates in the markdown documentation. - [SAFE]: All API endpoints and visualization URLs referenced in the skill point to official, well-known Tencent domains (
map.qq.com,apis.map.qq.com), and no suspicious third-party external downloads or dependencies were detected.
Audit Metadata