Scan Report
5 /100
baidu-ai-map
百度地图Map Agent Plan,官方为 Agent专属AI地图技能,直连 place、direction、geocoding、reverse_geocoding、weather 五大核心能力,大模型一键调用地图服务。
A lean, well-documented Baidu Maps API skill that only describes curl-based API calls to official Baidu endpoints. No scripts, no hidden functionality, and no exfiltration. The only declared tool (curl/bash) matches actual usage.
Safe to install
Approve for use. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No filesystem access in SKILL.md |
| Network | READ | READ | ✓ Aligned | Only makes GET/POST requests to api.map.baidu.com (official Baidu API) |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md declares curl as required bin; all curl examples are fully visible |
| Environment | READ | READ | ✓ Aligned | Only reads BAIDU_MAP_AUTH_TOKEN; no iteration over os.environ |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation described |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
8 findings
Medium External URL 外部 URL
https://lbs.baidu.com SKILL.md:6 Medium External URL 外部 URL
https://api.map.baidu.com/ SKILL.md:26 Medium External URL 外部 URL
https://lbs.baidu.com/apiconsole/agentplan SKILL.md:33 Medium External URL 外部 URL
https://api.map.baidu.com/agent_plan/v1/place SKILL.md:50 Medium External URL 外部 URL
https://api.map.baidu.com/agent_plan/v1/direction?baidu_map_auth_token=$BAIDU_MAP_AUTH_TOKEN SKILL.md:145 Medium External URL 外部 URL
https://api.map.baidu.com/agent_plan/v1/geocoding SKILL.md:188 Medium External URL 外部 URL
https://api.map.baidu.com/agent_plan/v1/reverse_geocoding SKILL.md:215 Medium External URL 外部 URL
https://api.map.baidu.com/agent_plan/v1/weather SKILL.md:244 File Tree
1 files · 8.4 KB · 255 lines Markdown 1f · 255L
└─
SKILL.md
Markdown
Security Positives
✓ Only one file (SKILL.md); no hidden scripts or binaries
✓ All network targets are official Baidu Maps API endpoints (api.map.baidu.com)
✓ Credential handling is correctly scoped to BAIDU_MAP_AUTH_TOKEN only
✓ No base64, eval, or obfuscated code
✓ No credential exfiltration or suspicious outbound connections
✓ Declared tool (curl) matches actual usage
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No remote script execution (curl|bash, wget|sh)
✓ No dependencies to audit (no package.json, requirements.txt, etc.)
✓ All URL endpoints are well-known, documented Baidu infrastructure