ClawHub

dmap-jsapi-skill

PassAudited by ClawScan on May 10, 2026.

Overview

This appears to be a benign instruction-only DMap development guide, but users should verify the map SDK endpoint, sanitize HTML popup content, and enable location tracking only with clear consent.

Install/use this skill as documentation, not as trusted runtime code. When copying examples, change the sample DMap server URLs to your approved HTTPS endpoint, avoid inserting untrusted data with setHTML, and only enable high-accuracy geolocation when users clearly request that feature.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

If copied unchanged, a web app may execute map library code from an unverified or environment-specific server.

Why it was flagged

The guide's quick start loads the DMap JavaScript SDK from a hard-coded HTTP private-IP endpoint. Loading a map SDK is expected for this purpose, but users should verify the host and prefer trusted HTTPS distribution.

Skill content
<script type="text/javascript" src="http://172.26.64.84/dmapapi/bj2000/v1.0/dmap-gl.js"></script>
Recommendation

Replace the sample endpoint with the user's approved DMap service/CDN, use HTTPS where possible, and consider integrity or trusted deployment controls.

Note
ASI02: Tool Misuse and Exploitation
What this means

Untrusted map data could display as executable HTML or script in the user's web page if copied without sanitization.

Why it was flagged

The example renders feature data into popup HTML. This is a normal map API capability, but if feature properties come from untrusted GeoJSON or tiles, raw HTML insertion can create XSS risk.

Skill content
.setHTML(`<h3>${feature.properties.name}</h3>`)
Recommendation

Use text-only popup APIs when available, escape/sanitize dynamic values before setHTML, and treat external map data as untrusted.

Note
ASI03: Identity and Privilege Abuse
What this means

A copied example may prompt users for precise location access and continue tracking while the map control is active.

Why it was flagged

The guide includes an example that requests high-accuracy browser geolocation and tracks the user's location. This is purpose-aligned for maps, but it is sensitive and should remain user-controlled.

Skill content
new dmapgl.GeolocateControl({
    positionOptions: { enableHighAccuracy: true },
    trackUserLocation: true
  })
Recommendation

Enable geolocation only for features that need it, clearly disclose location use, and provide a way to stop tracking.