Baidu Map Harmonyos SDK(百度地图官方鸿蒙 SKills)
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: baidu-map-harmonyos-sdk Version: 1.0.2 The skill bundle contains instructions in SKILL.md and package-management.md that command the AI agent to perform 'automatic switching' of SDK packages, which involves uninstalling dependencies and batch-replacing source code imports without user confirmation. While these actions are framed as necessary for resolving Baidu SDK conflicts, the lack of a user-in-the-loop requirement for destructive project modifications is a high-risk behavior that could be exploited via prompt injection. Additionally, the bundle mandates the execution of shell commands (ohpm, hvigorw) for build validation in build-and-test.md, which is a standard but sensitive capability for an AI agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could uninstall SDK dependencies, install new packages, rewrite imports, and run builds in a project without first confirming that the user wants those changes.
The skill instructs the agent to run package changes and source rewrites automatically, explicitly removing the normal user approval step for high-impact project mutations.
Agent 必须自动执行切换(卸载独立包 → 安装组合包 → 批量替换 import → 构建验证),无需额外询问用户。
Require explicit user approval before uninstalling/installing packages or rewriting imports, show the planned changes, and keep changes under version control for rollback.
A single incorrect dependency classification or replacement rule could affect many files and create widespread build or runtime failures.
A broad project-wide import replacement can propagate a mistaken package-choice decision across many source files and break unrelated parts of the application.
扫描项目中所有 `.ets` / `.ts` 源文件,将独立包的 import 路径替换为组合包路径。
Use a dry run, limit replacements to reviewed files, show a diff before applying, and require a successful backup or VCS checkpoint before bulk edits.
Apps built from this guidance may access precise or background location and rely on Baidu service credentials.
The generated app may request background location, tracking consent, keep-alive privileges, and use a Baidu Maps API key; these are expected for navigation/location features but are sensitive.
`ohos.permission.LOCATION_IN_BACKGROUND` ... `ohos.permission.APP_TRACKING_CONSENT` ... `ohos.permission.KEEP_BACKGROUND_RUNNING` ... `LocationClient.checkAuthKey(BAIDU_MAP_AK`
Request only the minimum permissions needed for the feature, show clear privacy consent, avoid hardcoding or logging AK/appIdentifier values, and disable background location unless required.
Users have less external provenance information for confirming who maintains the skill and whether it matches official Baidu SDK guidance.
The skill's provenance is not strongly documented in the supplied metadata, even though it guides installation and use of third-party SDK packages.
Source: unknown; Homepage: none
Verify the skill maintainer and compare package names, versions, and API usage with Baidu/OpenHarmony official documentation before applying changes.