Skillv1.0.1

ClawScan security

Baidu Map IOS SDK（百度地图官方IOS SKills） · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 7, 2026, 4:08 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is coherent with being a Baidu Maps iOS integration guide, but its runtime instructions require the agent to run xcodebuild and to automatically edit/fix the user's project in a loop until the build succeeds — an open-ended automation that grants broad modification authority and deserves caution.
Guidance: This skill is a detailed, coherent Baidu Maps iOS integration guide and appears to contain legitimate guidance for integrating BaiduMapKit/BMKLocationKit/BaiduWalkNaviKit. However, the runtime instructions require the agent to run xcodebuild and to automatically edit and recompile the user's Xcode project until the build succeeds. Before installing or enabling this skill, consider: - Do you trust the agent to make code changes automatically? The skill gives the agent open-ended permission to modify project files and build settings to achieve a successful build. - If you proceed, work on a copy/branch of your project and enable version control so you can review and revert changes. - Prefer running the build-and-fix loop yourself or require the agent to present proposed code patches for explicit human approval before applying them. - Keep backups and run the skill in an isolated environment (CI sandbox or disposable clone) first. - The skill does not request secrets; still avoid pasting sensitive credentials into chat. The agent will prompt you to obtain and configure the Baidu AK and Bundle Identifier — configure those locally and intentionally. If you want lower-risk use: ask the agent to only generate patch suggestions (diffs) and not to apply or execute builds automatically.
Findings: [no_code_files_regex_scan] expected: The repository is instruction-only (SKILL.md + many reference docs) so the regex pre-scan had nothing to analyze; absence of matches is expected and not evidence of safety.

Review Dimensions

Purpose & Capability: okName/description, the provided reference docs, and the declared requirements align: this is an instruction-only integration/implementation guide for Baidu Map iOS SDK and related kits. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: concernThe SKILL.md explicitly requires the agent to run an automated build (xcodebuild) against the user's workspace/scheme and to "immediately fix" compile errors and re-run builds repeatedly until BUILD SUCCEEDED. That gives the agent broad, open-ended permission to modify the user's project files, code, and build settings until the build passes. While fixing integration compile errors is within the skill's stated purpose, the instruction is open-ended (no limits on what files may be changed, no explicit approval step) and could lead to unexpected or extensive changes outside the minimal integration scope.
Install Mechanism: okNo install spec or external downloads — instruction-only. This is lower risk because nothing is automatically written to disk by the skill itself beyond whatever the agent edits in the user's project (which is expected for integration assistance).
Credentials: okThe skill requests no environment variables, credentials, or config paths. It instructs the agent to prompt the developer to obtain an AK from Baidu LBS console and to ensure the app's Bundle Identifier matches — that is appropriate and proportional to the stated purpose.
Persistence & Privilege: okalways:false and no persistent installs. The skill permits autonomous invocation (default), which is normal for skills. The main risk arises from combining autonomous invocation with the build-and-fix loop in the instructions: an autonomously-invoked agent could repeatedly modify the project without explicit human approval unless the platform or user restricts autonomy.