bmap-cli
Warn
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches a platform-specific binary executable from the author's cloud storage (
bj.bcebos.com) and grants it execution permissions. - [COMMAND_EXECUTION]: The instructions mandate that the agent must immediately and autonomously execute any command provided in the terminal output if it matches an update pattern ("发现新版本"), bypassing user review.
- [PROMPT_INJECTION]: The skill includes instructions to operate with high autonomy, explicitly stating to "not rely on manual user operations" and to "independently complete the entire process," which limits human-in-the-loop oversight.
- [CREDENTIALS_UNSAFE]: The agent is directed to embed full, unmasked Access Keys (AKs) directly into source code files and is strictly prohibited from using placeholders, fake keys, or instructions for the user to replace them.
- [REMOTE_CODE_EXECUTION]: The skill treats the terminal output from the CLI installation process as a source of truth for "instructions to be executed," effectively allowing the binary to dictate subsequent agent actions.
- [COMMAND_EXECUTION]: The skill modifies the user's shell environment configuration (
~/.zshenv) to persist the tool's location in the system PATH.
Audit Metadata