Back to skill
Skillv1.0.0
ClawScan security
Amap Walk Route · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 1:30 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions match its stated purpose: it needs an Amap API key to call Amap web APIs to plan walking routes and generate map QR codes, and it does not ask for unrelated credentials or install code on disk.
- Guidance
- This skill appears coherent and only needs your Amap API key to call Amap web services. Before installing: (1) Create and use a dedicated Amap API key for this skill, and restrict it by allowed referrers or IPs if possible; (2) Monitor API usage/billing in your Amap console so unexpected calls can be noticed; (3) Be aware that any location/address you provide to the skill will be sent to Amap (that is required for geocoding and POI search); (4) If the skill later adds code files or an install step, re-check the install source and any new requested permissions. Revoke the key if you see unexpected activity.
Review Dimensions
- Purpose & Capability
- okThe name/description ask for map-based route planning and QR generation; the only required secret is AMAP_API_KEY used to call Amap Web Service endpoints. No unrelated environment variables, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md instructs the agent to call Amap REST APIs (geocode, regeo, place/around, weather, direction/walking, maps_schema_personal_map). It does not instruct reading local files, other env vars, or sending data to third parties beyond Amap. User-provided location/address will be sent to Amap as expected for this functionality.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing will be written to disk by the skill itself.
- Credentials
- noteOnly AMAP_API_KEY is required, which is proportional to the purpose. Note that the API key grants the skill ability to make arbitrary Amap API calls within your account/quota (and may incur usage or expose query data). Recommend using a restricted key (referrer/IP limits, scoped permissions) and monitoring usage.
- Persistence & Privilege
- okalways is false, the skill is user-invocable, and it requests no system-wide config or access to other skills. It does not request persistent presence or elevated agent privileges.