Back to skill
Skillv1.0.2
ClawScan security
Map Agent - iOS LLM Agent SDK(高德官方 AI Agent Skill) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 10:07 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a documentation-only skill that provides iOS integration guidance for the AMap (高德) MALLMKit Agent/Link SDK; its requested footprint (no installs, no env vars, no credentials) matches its stated purpose.
- Guidance
- This package is documentation and example code for integrating AMap's iOS MALLMKit (Agent + Link). It does not itself install binaries or ask for secrets, so the footprint is small — however before using the code in a real app: 1) Verify you obtained MALLMKit and any native libs (.a, frameworks) from the official AMap/Open Platform; 2) Carefully review any place you or generated code would call configureAgentURL or point server endpoints — do not point these to unknown third-party URLs (they could receive user queries, location, or navigation data); 3) Check Info.plist/URL-scheme changes and ensure they match your privacy policy and user consent requirements (location and IPC carry sensitive data); 4) Confirm how API keys and authorization are obtained and stored (examples use NSUserDefaults — consider secure storage if needed); 5) If you will let an AI agent auto-generate or run code using these docs, review generated code before execution to ensure no endpoint or data-exfil behavior was introduced. If you need me to highlight every line that sends data out or to flag unsafe default values in the examples, I can scan specific files for those calls.
Review Dimensions
- Purpose & Capability
- okName/description describe an iOS SDK integration skill and the files (quick-start, API references, code examples) are exactly what is needed to integrate an iOS LLM Agent and Link IPC with AMap; there are no unrelated requirements (no extra env vars, binaries, or installs).
- Instruction Scope
- noteThe runtime instructions stay within SDK integration scope (initialization, authorization, IPC, sending JSON commands, navigation control). Two items to be aware of: (1) the docs show an API to configure a custom Agent service URL (configureAgentURL) — pointing that to an untrusted external endpoint could redirect queries/data outside expected servers; (2) LinkManager server probing and IPC sendDataToClient: will transmit JSON messages and navigation/location-related data to the linked app or server. These behaviors are coherent with the skill's purpose but carry privacy/data-exfiltration risk if misconfigured.
- Install Mechanism
- okInstruction-only skill with no install spec and no code to execute on install; nothing is downloaded or written to disk by the skill package itself.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. The examples mention using API keys and Info.plist settings (expected for an SDK integration) but do not request unrelated credentials.
- Persistence & Privilege
- okThe skill does not request permanent inclusion (always:false) nor attempt to modify other skills. It shows example persistence of authorization state in NSUserDefaults (local, expected for mobile SDKs).