ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

高德地图 (Fangtian)

v1.0.0

高德地图 API 调用工具,返回原始 JSON 数据。Use when users ask about 天气、地址、坐标、周边、路线、导航、打车、行程 in China. Commands: weather, geo, regeo, search, around, detail, route, distance,...

1· 253·0 current·0 all-time
by@fangtianwd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The stated purpose (High German Amap/高德地图 API wrapper) legitimately needs an AMAP_API_KEY and uses curl — that is coherent. However, the skill registry metadata lists no required env vars or primary credential, which contradicts SKILL.md's explicit requirement for AMAP_API_KEY.
!
Instruction Scope
The SKILL.md tells the user/agent to 'cp amap ~/.local/bin/ && chmod +x' but this package contains no 'amap' binary or other code files. That instruction would cause an agent or user to place an external binary into their PATH; the origin of that binary is unspecified. Apart from that, the instructions only reference the AMAP_API_KEY and curl (reasonable for the stated purpose).
!
Install Mechanism
There is no formal install spec in the registry (instruction-only). Yet SKILL.md expects installing a local 'amap' executable — which is missing from the package. Because the binary is not provided, a user would need to obtain it from elsewhere (unknown source), which increases risk.
!
Credentials
The SKILL.md requires a single AMAP_API_KEY (appropriate and proportionate). The registry metadata, however, lists no required env vars or primary credential — a mismatch that could mislead users or automated installers about what secrets are needed. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true, does not declare special config paths, and is instruction-only so it does not persist code on install. No elevated persistence or broad privileges are requested by the registry.
What to consider before installing
Do not install or run an unknown 'amap' binary from an unspecified source. Before proceeding, ask the publisher to: (1) include the actual executable or a trustworthy install URL (e.g., an official GitHub release) in the package; (2) update registry metadata to declare AMAP_API_KEY as a required env var; and (3) document exactly where the binary comes from and what it does. If you must use this skill: obtain the amap executable only from an official/verified source, inspect it (or its source code) before placing it in ~/.local/bin, and ensure the AMAP_API_KEY you provide has minimal necessary scope and is not tied to high-privilege accounts. Because the skill can be invoked autonomously by agents by default, prefer manual invocation until these inconsistencies are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a1127namvafhcm3xp38n1j582w4sz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments