ClawHub

amap-jsapi-skill

v1.0.9

高德地图 JSAPI v2.0 (WebGL) 开发技能。涵盖地图生命周期管理、强制安全配置、3D 视图控制、覆盖物绘制及 LBS 服务集成。

8· 2.4k·22 current·23 all-time
byGaodeMapOfficial@lbs-amap
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (高德地图 JSAPI v2.0) aligns with required environment variables (AMAP_JSAPI_KEY, AMAP_SECURITY_JS_CODE). Both credentials are expected for AMap v2.0 usage (web key and security JS code). No unrelated binaries, endpoints, or config paths are requested.
Instruction Scope
SKILL.md stays within mapping functionality (initialization, plugins, layers, LBS services). It explicitly instructs using environment-provided securityJsCode and recommends using a backend proxy (serviceHost) to avoid exposing secrets. Minor inconsistency: several client-side examples show process.env.AMAP_SECURITY_JS_CODE (which only works in build/server contexts), so bundling/transfer guidance should be clarified to avoid accidentally exposing the secret in the browser.
Install Mechanism
No install spec and no code files executed by the platform (instruction-only). The runtime instructions reference official AMap loader URLs (webapi.amap.com) only. There is no download-from-arbitrary-URL behavior.
Credentials
Only two environment variables are required and both are directly relevant to the skill's purpose. AMAP_JSAPI_KEY is the declared primary credential. There are no requests for unrelated secrets or broad system credentials.
Persistence & Privilege
always is false and the skill does not request permanent/autonomic privileges or modification of other skills. It is instruction-only and does not modify system-wide settings.
Assessment
This skill is internally consistent with AMap JSAPI usage, but before installing: 1) Only provide the AMap key and the security JS code if you trust the source — keep AMAP_SECURITY_JS_CODE out of client-side code by using a backend proxy (serviceHost) or inject it at build time in a way that doesn’t expose it to end users. 2) Restrict AMAP_JSAPI_KEY by referrer/domain limits in the AMap console and rotate it if you suspect exposure. 3) Note the SKILL.md uses process.env in examples — ensure your build/runtime substitutes values securely and that you do not paste raw secrets into HTML/JS served to browsers. 4) Because this skill is instruction-only, it won’t install code on disk, but follow the guidance about placing generated files under the workspace/amap-jsapi/ directory and review any generated files before deploying.

Like a lobster shell, security has layers — review code before you run it.

latestvk979afnjrhwf97wckk338ykfbn850h49

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAMAP_JSAPI_KEY, AMAP_SECURITY_JS_CODE
Primary envAMAP_JSAPI_KEY

Comments