Skillv1.0.2

ClawScan security

Map Integration Service · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 4:35 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared features, optional API key, and referenced config paths are internally consistent with a map/location integration; nothing appears to request unrelated credentials or install arbitrary code, though some runtime details are vague and merit caution.
Guidance: This skill appears to do what it says: map searches and routing, with an optional map API key for advanced features. Before installing, consider: 1) Where will heatmap visualizations be hosted? The SKILL.md doesn't specify whether data you provide is uploaded to a third-party service — avoid sending sensitive location data until you confirm the endpoint. 2) If you add AMAP_WEBSERVICE_KEY to ~/.openclaw/.env, ensure that file is stored securely (correct filesystem permissions) and that the key has minimal permissions. 3) Watch network activity (which map provider domains are called) during use to confirm the agent only talks to expected map APIs. 4) If you need higher assurance, ask the publisher for details on how heatmap links are generated/hosted and for an explicit list of network endpoints the skill will contact.

Review Dimensions

Purpose & Capability: okName and description match the instructions: search, geocoding, POI, routing, and visualization are all described and the SKILL.md only asks (optionally) for a map service API key for features that need it. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope: noteInstructions are mostly scoped to building search URLs, calling map provider web services, and accepting a JSON data URL for heatmaps. The doc references local config paths (~/.openclaw/.env and ~/.openclaw/credentials/.env) for storing an optional API key; it does not explicitly instruct broad collection of other files, but the heatmap workflow is vague about where visualization links are generated or hosted (could imply uploading data).
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest-risk install model. Nothing is downloaded or written by an installer step described in the skill metadata.
Credentials: okNo required environment variables; an optional AMAP_WEBSERVICE_KEY is declared and is proportional to route/POI/routing features. The skill does suggest storing it in user-local .env files. It does not request unrelated secrets or multiple external credentials.
Persistence & Privilege: okalways is false and model invocation is normal (agent may call the skill autonomously). The skill does not request persistent system-wide changes or modify other skills' config; its claimed persistence is limited to storing an optional API key in the user's local OpenClaw env files.