dmap-jsapi-skill
AdvisoryAudited by VirusTotal on Apr 23, 2026.
Overview
Type: OpenClaw Skill Name: dmap-jsapi-skill Version: 1.0.0 The skill bundle is a comprehensive development guide for the DMap GL JSAPI (dmapgl), a mapping library. It contains detailed documentation and code examples for map initialization, markers, layers, and 3D terrain. While it references a private IP address (172.26.64.84) for its CDN and API services, this is consistent with internal enterprise or development environments. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found across the SKILL.md or the extensive reference files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied unchanged, a web app may execute map library code from an unverified or environment-specific server.
The guide's quick start loads the DMap JavaScript SDK from a hard-coded HTTP private-IP endpoint. Loading a map SDK is expected for this purpose, but users should verify the host and prefer trusted HTTPS distribution.
<script type="text/javascript" src="http://172.26.64.84/dmapapi/bj2000/v1.0/dmap-gl.js"></script>
Replace the sample endpoint with the user's approved DMap service/CDN, use HTTPS where possible, and consider integrity or trusted deployment controls.
Untrusted map data could display as executable HTML or script in the user's web page if copied without sanitization.
The example renders feature data into popup HTML. This is a normal map API capability, but if feature properties come from untrusted GeoJSON or tiles, raw HTML insertion can create XSS risk.
.setHTML(`<h3>${feature.properties.name}</h3>`)Use text-only popup APIs when available, escape/sanitize dynamic values before setHTML, and treat external map data as untrusted.
A copied example may prompt users for precise location access and continue tracking while the map control is active.
The guide includes an example that requests high-accuracy browser geolocation and tracks the user's location. This is purpose-aligned for maps, but it is sensitive and should remain user-controlled.
new dmapgl.GeolocateControl({
positionOptions: { enableHighAccuracy: true },
trackUserLocation: true
})Enable geolocation only for features that need it, clearly disclose location use, and provide a way to stop tracking.