Git-Map
ReviewAudited by ClawScan on May 10, 2026.
Overview
Git-Map mostly matches its stated purpose, but it exposes credential-using, write-capable ArcGIS map tools through an unauthenticated local HTTP server with permissive CORS.
Install only if you trust `gitmap-core` and need ArcGIS web map version control. Use scoped ArcGIS tokens rather than passwords, keep the local server stopped when not in use, and review any push, pull, or branch-delete request before allowing the agent to run it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the local server is running, another local process or a web page that can reach localhost may be able to invoke map/version-control actions outside the user's intended OpenClaw interaction.
The server allows cross-origin browser requests and dispatches unauthenticated JSON parameters directly to registered tools, including write-capable GitMap operations.
self.send_header("Access-Control-Allow-Origin", "*") ... result = tool_fn(**params)Run the server only when needed, restrict CORS/origins, add an authentication token or local IPC boundary, and require explicit user confirmation before push, pull, or delete-style actions.
The agent may use ArcGIS credentials to list maps and push or pull web map changes, depending on the account's permissions.
The skill requires ArcGIS account credentials for portal access; this is expected for ArcGIS sync, but it grants access to the user's portal account.
export ARCGIS_USERNAME="your_username" export ARCGIS_PASSWORD="your_password"
Prefer scoped API tokens over passwords, limit the account's ArcGIS permissions, and avoid passing credentials per-call unless necessary.
Installing an unverified or changed package version could alter what the skill does.
The skill depends on an external Python package that is installed manually and is not pinned in an install specification.
pip install gitmap-core
Verify the `gitmap-core` package source and version, pin a trusted version where possible, and install it in an isolated environment.
Tool calls can run local GitMap commands against directories the user or agent selects.
The skill executes the GitMap CLI as a subprocess from user-supplied repository paths; this is central to the stated CLI-wrapper purpose and does not use a shell.
result = subprocess.run(full_cmd, cwd=str(cwd) if cwd else None, capture_output=True, text=True, timeout=timeout, env=env)
Use this skill only with trusted GitMap repository directories, and review requested `cwd`, branch, and push parameters before allowing write operations.