MapV Three(百度地图官方3D地图SKills)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only mapping guide does not show malicious behavior, but users should review API-key handling, package provenance, and any generated map-editing code.
Before installing, verify that this publisher is truly associated with Baidu/MapV, use restricted API keys, pin dependency versions, and carefully review any generated code that edits map data or connects to backend API hosts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An unrestricted or exposed API key could be misused or incur quota/cost impact if copied into generated code or shared repositories.
The documentation instructs configuring a Baidu Maps access key, and the skill metadata requires BMAP_JSAPI_KEY. This is purpose-aligned for map services, but it is still a credential.
mapvthree.BaiduMapConfig.ak = '您的AK密钥';
Use a restricted Baidu Maps key, keep server-side secrets out of generated frontend code, and avoid committing real keys to source control.
Installing unpinned dependencies can pull newer or unexpected package versions into a project.
The skill is documentation-only, but it recommends installing external npm packages without pinned versions. This is expected for a library guide, yet package provenance and versions matter.
npm install @baidumap/mapv-three three
Install from a trusted registry, pin or lock dependency versions, and review the package source before using it in production.
Users may place extra trust in the skill because it appears official, even though the registry metadata shown here does not verify that claim.
The listing uses official Baidu branding, but the supplied metadata does not provide a source or homepage to corroborate that publisher status. This is a provenance note, not evidence of deception.
Name: MapV Three(百度地图官方3D地图SKills) ... Source: unknown; Homepage: none
Verify the publisher and compare guidance with Baidu/MapV official documentation before granting high trust.
If the agent generates code that calls these APIs against a real backend, it could change or delete map elements.
The documentation includes backend-connected high-definition map editing APIs. This matches the stated map-editing purpose, but these methods can modify or delete configured map data if used in generated code.
`apiHost` ... `addElement(point, properties)` ... `deleteElementById(id)` ... `updateElementById(id, point, properties)`
Require explicit user approval for edit/delete/update flows, use staging endpoints for testing, and enforce backend authentication and authorization.