Ncloud Maps
v1.0.8Query Naver Cloud Maps APIs for route navigation. Smart routing: Directions5 by default, auto-switches to Directions15 for 5+ waypoints.
⭐ 0· 648·1 current·2 all-time
byBeomsu Lee@beomsu317
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description (Naver Cloud Maps routing) matches the included source code and behavior: it calls Naver Maps Directions5/15 endpoints and returns distance/duration/cost estimates. However, the registry metadata claims no required env vars or primary credential while the SKILL.md and code clearly expect NCLOUD_API_KEY_ID and NCLOUD_API_KEY. That metadata omission is an inconsistency (likely an authoring error) but the capabilities themselves align with the stated purpose.
Instruction Scope
SKILL.md and the scripts are narrowly scoped to routing: validate coordinates, call Naver Maps Directions endpoints, and return route summaries. The runtime instructions ask the user to set NCLOUD API keys and run npm install / the CLI; there are no instructions to read unrelated system files, other credentials, or to post data to unexpected endpoints. All network calls in code target Naver's map gateway (maps.apigw.ntruss.com).
Install Mechanism
This is effectively an instruction-and-code package with no special install spec in the registry. The code uses standard npm dependencies (axios) listed in package-lock.json; there are no download-from-arbitrary-URLs or extract steps. Asking users to run npm install and run the included CLI is normal for a JS/TS skill.
Credentials
The SKILL.md and all CLI code expect two environment variables (NCLOUD_API_KEY_ID and NCLOUD_API_KEY) for authentication. Yet the registry metadata lists no required env vars and no primary credential. Requesting those two Naver Cloud keys is proportionate for this functionality, but the registry omission is misleading and increases risk if users install without realizing they must supply secrets. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; it does not attempt to modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but is not combined with other concerning privileges here.
What to consider before installing
This skill's code and docs require NCLOUD_API_KEY_ID and NCLOUD_API_KEY (Naver Cloud API credentials) and will call Naver's Maps API endpoints — that is expected for a Naver Maps routing skill. The problem is the registry metadata did not declare those required environment variables or a primary credential, which is an authoring inconsistency you should resolve before installing. Before you proceed: (1) Confirm you are comfortable providing Naver Cloud API keys and that you will store them securely (do not commit them to git). (2) Ask the publisher/registry to update the metadata to list NCLOUD_API_KEY_ID / NCLOUD_API_KEY as required credentials. (3) Review package.json and package-lock.json (already present) and run npm audit / use non-production credentials to test. (4) Verify network egress policy allows calls to https://maps.apigw.ntruss.com and that no other unknown endpoints are contacted. If the maintainer cannot explain the metadata omission, treat the package as untrusted until that is fixed.Like a lobster shell, security has layers — review code before you run it.
latestvk975hf9zcvjat4hfsssw9ah7qn81tx5y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.