ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Citywalk Map

v2.0.7

生成基于OpenStreetMap和OSRM步行路线的Citywalk地图HTML,支持自定义主题色,自动适配全屏并输出详细步行数据与站点信息。

0· 110·1 current·1 all-time
by@huangfeng1995
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (generate OSM+OSRM walking-route HTML with theme and screenshots) matches the code: generate.py builds routes using OSRM and Nominatim and writes /tmp/citywalk_map.html. However there are mismatches: SKILL.md and some docs claim 'zero dependencies' (Python stdlib + curl) while scripts/render.py requires third-party packages (requests, Pillow). README.md mentions an automatic Gaode (Amap) tile fallback for China but the code uses openstreetmap.fr tiles and does not implement the claimed automatic switch. package.json version (3.1.0) and repository metadata also differ from registry metadata (2.0.7). These inconsistencies look like sloppy packaging rather than outright malicious intent, but they are unexplained.
Instruction Scope
Runtime instructions direct the agent/user to run scripts/generate.py (expected). The tool performs multiple network calls (router.project-osrm.org, nominatim.openstreetmap.org, wttr.in, OSM tile servers) which are necessary for routing/tiles/weather. The SKILL.md instructs starting a local Python http.server and later uses pkill -f to stop it; pkill may terminate other matching processes on the host if used carelessly. The code does not read arbitrary system files or request unrelated credentials.
Install Mechanism
No install spec is provided (instruction-only), which is low-risk, but the bundle includes executable scripts. render.py has non-standard dependencies (requests and Pillow) that are not installed automatically and contradict the 'zero dependencies' claim — if a user tries to run render.py without installing these libs it will fail. No external archives or obscure download URLs are used in the bundle itself.
Credentials
The skill requests no credentials or sensitive environment variables. An optional COLOR env var controls theme color; otherwise it does not require secrets. The code copies the environment when launching subprocesses but does not exfiltrate env vars. Network access is used for public mapping/weather services only.
Persistence & Privilege
The skill does not request persistent or elevated privileges. always is false. It writes output to /tmp and suggests running a local http.server; it does not modify other skills or system-wide agent settings.
What to consider before installing
What to consider before installing/using: - Functional correctness: generate.py is the primary script and should work with curl and Python 3. render.py requires third-party Python packages (requests, Pillow). If you don't want to install extra packages, avoid running render.py. - Dependency claim mismatch: the docs claim 'zero dependencies' but render.py contradicts that. Verify and install only what you trust (pip install requests Pillow) in an isolated environment if needed. - Network activity: the tool will make outbound requests to router.project-osrm.org (OSRM), nominatim.openstreetmap.org (reverse geocoding), wttr.in (weather), and OSM tile servers. These are expected for map generation, but be aware of rate limits and privacy (coordinates sent to public services). - pkill usage: the suggested screenshot flow uses pkill -f 'http.server 18767' — this can kill any matching process. Run the server/stop commands manually or use a safer method (record PID and kill that PID) to avoid terminating unrelated processes. - Packaging inconsistencies: package.json version and registry metadata do not match; README mentions Gaode (Amap) fallback not implemented in code. Treat these as quality issues; review the code locally before running. - Safety tip: run the scripts in a sandboxed or disposable environment (container/VM) if you have concerns, and do not expose sensitive environment variables while testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cjx8ghxjwfcf6za8n5ww57h83f87amapvk9703gnpj2117dy8zpgrb2resx838538osrmvk9703gnpj2117dy8zpgrb2resx838538routevk9703gnpj2117dy8zpgrb2resx838538travelvk9703gnpj2117dy8zpgrb2resx838538walkingvk9703gnpj2117dy8zpgrb2resx838538

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments