Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Amap Map
v1.0.0高德地图 API 技能(搜索、周边、POI、导航、地理编码)。调用 /scripts/amap.py,支持关键词搜索、周边搜索、POI 详情、步行/骑行/驾车路径规划、地址转坐标。
⭐ 0· 207·1 current·1 all-time
by@klscool
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code implements the advertised Amap features (text search, around, POI detail, routing, geocoding) and only calls Amap's REST API (restapi.amap.com). However, the skill metadata declares no required credentials while the script in scripts/amap.py clearly expects an API key (AMAP_API_KEY env var or an entry in ~/.openclaw/openclaw.json). This is a proportional capability but the manifest omits the key requirement.
Instruction Scope
SKILL.md instructs the agent to run the included Python script and to place the API key in ~/.openclaw/openclaw.json, consistent with the code. The script reads ~/.openclaw/openclaw.json and writes a local .usage.json under the skill workspace. Reading that config file is reasonable to find its own apiKey, but it does open a broader user config file (which may contain other data) even though it only extracts the amap-map entry.
Install Mechanism
This is an instruction-only skill (no install spec). The script imports third-party modules (requests) and uses fcntl; the manifest does not declare these runtime requirements or required binaries (python3). Without an install spec or declared dependencies, runtime execution may fail or the operator may not realize network-capable Python code will run.
Credentials
The registry metadata lists no required environment variables, but the script uses AMAP_API_KEY from the environment (and/or an apiKey stored in ~/.openclaw/openclaw.json). Asking for an API key is expected for this skill, but the omission in metadata is a mismatch and should be fixed so users know a secret is required. The script does not request unrelated credentials.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or system-wide privileges. It writes a local usage file under its skill workspace and reads the user's ~/.openclaw/openclaw.json to find its own config entry — both are reasonable for this functionality and limited in scope.
What to consider before installing
Before installing:
- Expect to provide a Gaode/Amap API key. The skill metadata does not declare this, but the script requires AMAP_API_KEY (env) or an apiKey entry under ~/.openclaw/openclaw.json -> skills -> entries -> "amap-map". Add the key only if you trust the skill.
- Ensure your environment has python3 and the 'requests' library available; the skill has no install spec and will fail if requests is missing.
- The script will read ~/.openclaw/openclaw.json (to get its own apiKey) and will create a .usage.json under the skill workspace to record local usage; review those files if you are concerned about local data being read/written.
- Network calls are made only to restapi.amap.com (Amap). If you need to restrict outbound traffic, allow that host only.
- If you want stronger assurance, request the publisher to update the skill manifest to declare the required environment variable (AMAP_API_KEY), list runtime dependencies (python3, requests), and include an explicit install spec or runtime dependency note.Like a lobster shell, security has layers — review code before you run it.
latestvk976maa47qqsnv115vrrda7bmd82xtz3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.