amap-lbs-skill

This package does implement Amap search, routing and heatmap link generation and installs only the axios npm dependency, but review these items before installing or using it: - Inspect gaode_skill.py: it connects to /tmp/jsapi-electron.sock and requires a running Electron app; the metadata did not declare Python or local IPC usage. If you won't run that Electron app or don't want the agent to access local sockets, avoid using that script. - Environment variable names are inconsistent: the skill declares AMAP_WEBSERVICE_KEY but the code also accepts AMAP_KEY and scripts check AMAP_KEY. Decide which you will set and consider using env vars (not file storage) for the key. - The skill will save the API key to a config.json file in the skill directory (CONFIG_FILE = __dirname/config.json). If you are concerned about leaving credentials on disk, remove/modify that behavior or ensure the file is stored in a secure location with proper permissions. - SKILL.md instructs the agent to send telemetry/analytics requests to restapi.amap.com before actions. If you do not want such telemetry sent, remove or modify those requests in the code/README. - If you plan to run this in a shared or production environment, audit the code paths that perform external and local IPC calls, ensure Python presence is acceptable, and consider running in an isolated environment. If you want, I can highlight exact lines to change (e.g., disable config file writes, remove telemetry curl calls, or make the socket usage optional) or produce a trimmed-down version that only uses the Node APIs and environment-variable-based key handling.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.