扫描报告
5 /100
baidu-ai-map
百度地图Map Agent Plan,官方为 Agent专属AI地图技能,直连 place、direction、geocoding、reverse_geocoding、weather 五大核心能力,大模型一键调用地图服务。
A lean, well-documented Baidu Maps API skill that only describes curl-based API calls to official Baidu endpoints. No scripts, no hidden functionality, and no exfiltration. The only declared tool (curl/bash) matches actual usage.
可以安装
Approve for use. No security concerns identified.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | No filesystem access in SKILL.md |
| 网络访问 | READ | READ | ✓ 一致 | Only makes GET/POST requests to api.map.baidu.com (official Baidu API) |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md declares curl as required bin; all curl examples are fully visible |
| 环境变量 | READ | READ | ✓ 一致 | Only reads BAIDU_MAP_AUTH_TOKEN; no iteration over os.environ |
| 技能调用 | NONE | NONE | — | No cross-skill invocation described |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No database access |
8 项发现
中危 外部 URL 外部 URL
https://lbs.baidu.com SKILL.md:6 中危 外部 URL 外部 URL
https://api.map.baidu.com/ SKILL.md:26 中危 外部 URL 外部 URL
https://lbs.baidu.com/apiconsole/agentplan SKILL.md:33 中危 外部 URL 外部 URL
https://api.map.baidu.com/agent_plan/v1/place SKILL.md:50 中危 外部 URL 外部 URL
https://api.map.baidu.com/agent_plan/v1/direction?baidu_map_auth_token=$BAIDU_MAP_AUTH_TOKEN SKILL.md:145 中危 外部 URL 外部 URL
https://api.map.baidu.com/agent_plan/v1/geocoding SKILL.md:188 中危 外部 URL 外部 URL
https://api.map.baidu.com/agent_plan/v1/reverse_geocoding SKILL.md:215 中危 外部 URL 外部 URL
https://api.map.baidu.com/agent_plan/v1/weather SKILL.md:244 目录结构
1 文件 · 8.4 KB · 255 行 Markdown 1f · 255L
└─
SKILL.md
Markdown
安全亮点
✓ Only one file (SKILL.md); no hidden scripts or binaries
✓ All network targets are official Baidu Maps API endpoints (api.map.baidu.com)
✓ Credential handling is correctly scoped to BAIDU_MAP_AUTH_TOKEN only
✓ No base64, eval, or obfuscated code
✓ No credential exfiltration or suspicious outbound connections
✓ Declared tool (curl) matches actual usage
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No remote script execution (curl|bash, wget|sh)
✓ No dependencies to audit (no package.json, requirements.txt, etc.)
✓ All URL endpoints are well-known, documented Baidu infrastructure