tencentmap-webservice-skill

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). 该提示明确要求代理检测/接受用户的正式 Key、“静默记录”并在后续按用户意图发起带 key 的 API 请求（示例中展示了将 key 嵌入到 URL/请求中），这会使 LLM 需要处理并可能在输出中包含秘密值，存在泄露风险。

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's "体验模式" requires calling the h5gw domain with JSONP (e.g., https://h5gw.map.qq.com/ws/location/v1/ip) and even gives sample code that dynamically inserts a tag, so at runtime it fetches and executes remote script (JSONP) from h5gw.map.qq.com which the skill depends on for the experience-mode pathway.

MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

• Hidden Unicode characters detected (1 type(s) found)