Back to skill
Skillv1.0.0
ClawScan security
Amap City Explorer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 1:19 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (generating city guides from Amap data) aligns with its requirements and instructions: it only needs an AMAP_API_KEY and calls Amap Web Service endpoints as documented.
- Guidance
- This skill appears coherent and uses only the AMAP_API_KEY to call Amap's documented APIs. Before enabling it, consider: (1) create and supply a dedicated Amap API key with only the Web Service permissions needed (avoid using high-privilege or shared keys); (2) restrict the key by IP/referrer if Amap supports it and monitor usage/quotas to detect unexpected calls; (3) understand that city names and coordinates are sent to Amap (expected for this functionality) — avoid sending personal-identifying location data if you want privacy; (4) if you distrust the skill source, use a throwaway/limited key or test with non-sensitive queries first. Overall there are no incoherent or disproportionate requirements in the package.
Review Dimensions
- Purpose & Capability
- okName/description promise city guides based on 高德 (Amap) data; the skill only declares AMAP_API_KEY and documents calling Amap REST endpoints. No unrelated credentials, binaries, or install steps are requested.
- Instruction Scope
- okSKILL.md explicitly lists the Amap Web Service APIs to call (district, weatherInfo, geocode, place/text, place/around, place/detail) and instructs to include AMAP_API_KEY. It does not instruct reading arbitrary local files, other env vars, or sending data to third-party endpoints.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk model for presence on the host.
- Credentials
- okRequires a single credential (AMAP_API_KEY) which is appropriate and declared as the primary credential. The API key is necessary and sufficient for the described Amap Web Service calls; no extra secrets are requested.
- Persistence & Privilege
- okalways:false and no install means the skill does not request permanent forced inclusion or system-wide config changes. SKILL.md states results are fetched live and not stored; outbound HTTP requests to restapi.amap.com are expected for function.