Baidu Map Cli(百度地图官方Cli工具)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This Baidu Maps helper is coherent overall, but it pushes creation and use of unrestricted Baidu Maps API keys and installs a remote CLI, which could expose your account quota.
Review this skill carefully before installing. It is designed for Baidu Maps work, but you should only approve the CLI download from a trusted source, avoid unrestricted wildcard AKs unless you understand the quota-abuse risk, and check where MCP credentials are stored.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An unrestricted Baidu Maps API key placed in code can be copied or abused, potentially consuming quota or affecting the user's Baidu Maps account.
The workflow explicitly prefers unrestricted browser API keys, creates one if unavailable, acknowledges quota-abuse risk, and requires the full key to be embedded in generated code.
浏览器端 AK **仅优先**选用 `b_referers` 等于 `*` 的项...新建一个 `--b-referers '*'` 的浏览器端 AK(会扩大 AK 暴露面,可能造成配额被滥用)...代码里**必须**使用列表中的**完整原始 AK 字符串**
Use a domain-restricted or disposable development AK where possible, avoid committing full AKs to public repositories, review any AK creation prompt carefully, and delete or rotate unused unrestricted keys.
The local agent will rely on a downloaded executable to manage maps configuration and account resources.
The skill downloads and runs a remote CLI binary, but the artifact provides no checksum, signature, version pin, or reviewed code for that binary.
curl -fL "https://open-agent-cli.bj.bcebos.com/cli/bmap-cli-${BMAP_OS}-${BMAP_ARCH}" -o "$BMAP_CLI" && chmod +x "$BMAP_CLI"Only approve the install if you trust the download source, and prefer verifying the binary through an official Baidu Maps channel, checksum, or signature before running it.
Baidu Maps credentials may remain in local configuration and could be exposed to other local agent tools or users of the same machine.
The skill persists AK credentials into MCP configuration, which may be read by other tools or sessions if local permissions are too broad.
MCP 配置中包含 AK 凭据,写入前请确认存储路径与访问权限符合预期,避免凭据被无关工具或会话读取。
Review the exact MCP config path and file permissions before approving, and remove or rotate AKs if the configuration is shared or no longer needed.