Gaode Map LBS - 高德官方地图综合服务 Skill
Security checks across malware telemetry and agentic risk
Overview
This appears to be a purpose-aligned Gaode/Amap map skill, but it needs your Amap API key and sends selected searches, coordinates, and visualization data to Amap services.
Before installing, make sure you are comfortable giving this skill access to an Amap Web Service key and sending your requested searches, route endpoints, coordinates, and heatmap data URLs to Amap. Prefer a restricted API key, avoid private or tokenized heatmap data URLs, and only use the local Electron socket helper with a trusted companion app.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Amap key could consume quota or incur account impact if misused, and a locally saved key should be protected.
The skill reads the declared Amap Web Service credential, supports a deprecated fallback credential variable, and can store the key locally. This is expected for Amap API access but is still sensitive credential handling.
let key = process.env.AMAP_WEBSERVICE_KEY; ... if (!key && process.env.AMAP_KEY) { key = process.env.AMAP_KEY; } ... config.webServiceKey = key;Use a restricted Amap key, prefer setting it via environment variable, avoid sharing the skill directory if config.json is created, and revoke or rotate the key if you stop using the skill.
Amap will receive the searches, locations, and route endpoints you ask the skill to process.
POI and route functions send user-selected keywords, cities, coordinates, and the API key to Gaode's REST API. This is necessary for the advertised map functionality, but it is still a third-party data flow.
const url = 'https://restapi.amap.com/v5/place/text'; ... const response = await axios.get(url, { params: requestParams });Only use the skill for location queries you are comfortable sending to Amap, and review Amap's API/privacy terms for your account.
If you use private datasets or signed URLs for heatmaps, the data URL may be visible outside the skill.
Heatmap visualization embeds a user-provided data URL into an Amap URL and uses http:// in the documented template. This is user-directed and purpose-aligned, but private or tokenized data URLs could be exposed in browser history, logs, or network paths.
http://a.amap.com/jsapi_demo_show/static/openclaw/heatmap.html?mapStyle={地图风格}&dataUrl={数据地址(URL编码)}Use public or non-sensitive data URLs for heatmaps, avoid embedding secrets in dataUrl parameters, and prefer an HTTPS visualization URL if Amap supports it.
If using this helper, search terms or route endpoints could be sent to whichever local process controls that socket.
The optional Python helper sends route/search commands to a fixed local Unix socket for an Electron app, but the supplied client code does not authenticate the socket owner. This is aligned with the helper's purpose, yet the companion app boundary is not fully shown.
SOCKET_PATH = "/tmp/jsapi-electron.sock" ... client_socket.connect(SOCKET_PATH) ... client_socket.sendall(message.encode("utf-8"))Use the socket helper only with a trusted, expected Electron app running locally, and avoid using it on shared or untrusted machines.
Future installs could resolve a different compatible axios version than the one originally tested.
The skill depends on axios using a semver range rather than an exact pinned version. Axios is appropriate for this HTTP API client, and no install scripts are shown, but dependency resolution may change over time.
"dependencies": { "axios": "^1.13.6" }Install from a trusted registry/source and consider pinning or lockfiling dependencies if you need reproducible installs.