amap-jsapi

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt's code examples explicitly require placing plaintext secrets (securityJsCode and web developer key) directly into JavaScript source, which would force the LLM to embed secret values verbatim when generating runnable code — an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill's Quick Start instructs including and loading the remote JavaScript "https://webapi.amap.com/loader.js", which is fetched and executed at runtime and is a required external dependency for the skill to function.