Baidu Map Harmonyos SDK(百度地图官方鸿蒙 SKills)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is mostly a coherent Baidu Maps HarmonyOS development guide, but it tells the agent to automatically change SDK dependencies and rewrite imports without asking first.
Before installing, be prepared to review any proposed dependency changes, import rewrites, and build commands. Use version control, ask the agent to show a plan and diff before acting, pin trusted SDK versions, protect your Baidu AK, and enable location/background permissions only for features that truly need them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user’s project dependencies and source files could be changed broadly, potentially breaking builds or altering behavior before the user reviews the changes.
This directs the agent to mutate the project dependency graph and source imports automatically, including uninstalling packages and mass-editing files, without explicit user approval.
已使用独立包,但新需求需要组合包能力 ... 自动执行切换流程 ... 无需询问用户 ... 卸载全部已有的独立包 ... 批量替换 import 语句 ... 执行构建验证
Require explicit user confirmation before dependency migration, show the planned commands and file diff, run on a version-control branch, and keep the changes limited to confirmed Baidu Map imports.
Running install/build commands may download packages, update lockfiles, and execute normal build tooling in the project environment.
The skill intentionally instructs the agent to run package installation and build commands in the user’s project. This is purpose-aligned for SDK integration, but still executes local project tooling.
在工程根目录执行: 1. 安装依赖: ```bash ohpm install ``` 2. 执行构建与 ArkTSCheck: ```bash hvigorw assembleHap --mode module -p product=default -p buildMode=debug --no-daemon ```
Run these commands only in a trusted project workspace, review dependency changes, and prefer a clean branch or CI environment for validation.
If applied broadly, the resulting app may handle location data and privileged permissions that affect user privacy and account/service usage.
The generated app may use a Baidu developer AK and request sensitive runtime privileges, including background location and long-running background behavior.
LocationClient.checkAuthKey(BAIDU_MAP_AK, this.context ...) ... "name": "ohos.permission.LOCATION_IN_BACKGROUND" ... "ohos.permission.APP_TRACKING_CONSENT" ... "ohos.permission.KEEP_BACKGROUND_RUNNING"
Keep the Baidu AK out of public code, declare only permissions required by the specific feature, obtain clear runtime consent, and avoid background location unless the user-facing app purpose requires it.
Users may assume official provenance without having registry evidence to verify the publisher or source history.
The skill presents itself as an official Baidu Map HarmonyOS SDK skill, but the supplied registry metadata does not provide a source repository or homepage to independently verify provenance.
Name: Baidu Map Harmonyos SDK(百度地图官方鸿蒙 SKills) ... Source: unknown ... Homepage: none
Verify the publisher and compare guidance against Baidu’s official SDK documentation before relying on it for sensitive or production changes.