高德地图 (Fangtian)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward AMap API helper, but users should note that it uses an AMap API key, sends location queries to AMap, and references a local CLI executable not included in the artifacts.
Before installing, make sure any `amap` executable you copy into your PATH comes from a trusted source, configure a restricted AMap Web Service API key, and remember that addresses, coordinates, routes, taxi links, or trip plans you ask about will be sent to AMap.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Queries made by the skill may consume the user's API quota and are associated with their AMap API key.
The skill requires an AMap Web Service API key. This is expected for AMap API calls, but it gives the tool quota-bearing access under the user's AMap developer account.
export AMAP_API_KEY="your-api-key" ... API Key 需要 Web服务 权限
Use a restricted AMap Web Service key, set quota limits if possible, and rotate the key if it is exposed.
AMap may receive addresses, coordinates, routes, or trip details included in user requests.
The skill is designed to send map, weather, search, geocoding, routing, taxi, and trip requests to the external AMap REST API. This is disclosed and purpose-aligned, but the submitted locations or itineraries can be sensitive.
直接调用高德 REST API,返回完整 JSON 响应
Avoid submitting highly sensitive home, work, or itinerary details unless needed, and review AMap's privacy and API usage terms.
If the user obtains or already has an `amap` executable from an untrusted source, the agent could run that local program when using the skill.
The skill documents installing an `amap` executable, but the provided manifest contains only SKILL.md and no executable or install specification. The executable provenance is therefore not evidenced by the supplied artifacts.
cp amap ~/.local/bin/; chmod +x ~/.local/bin/amap
Only install an `amap` executable from a trusted, reviewed source, and prefer a package that includes its executable and dependency metadata in the reviewed artifacts.