Baidu Map WebAPI(百度地图官方Web服务 SKills)
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only Baidu Maps API guide; the main things to notice are expected use of a Baidu API key and sending location or address queries to Baidu services.
This skill appears safe to use for its stated purpose if you are comfortable using Baidu Maps WebAPI. Protect the BMAP_WEBAPI_AK key, restrict it in Baidu’s console, avoid sharing sensitive precise locations unless needed, and verify the package source/version before relying on it in production.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Baidu Maps API key may be used for requests, quota, and any billing or service permissions tied to that key.
The skill uses a Baidu Maps Access Key from an environment variable for API calls. This is expected for the service, but it grants access to the enabled Baidu APIs and may consume quota.
优先读取环境变量 `BMAP_WEBAPI_AK` 中的 AK ... curl "https://api.map.baidu.com/place/v3/region?query=美食®ion=北京&ak=$BMAP_WEBAPI_AK"
Use a least-privileged server-side AK, apply Baidu IP/SN restrictions where possible, and avoid pasting full URLs containing the key into chats or logs.
Precise locations, addresses, nearby searches, and route queries may be sent to Baidu’s API when the skill is used.
The skill documents sending coordinates and search terms to Baidu Maps WebAPI endpoints. This is purpose-aligned, but coordinates, addresses, routes, and timing can be personal data.
**GET** `https://api.map.baidu.com/place/v3/around` ... `location` ... 圆形区域检索中心点经纬度坐标
Only provide precise home, work, current-location, or travel details when you are comfortable sharing them with Baidu Maps, and minimize query detail where possible.
Using the weather lookup recipes may cause the agent or user to download external reference files.
The weather workflow optionally downloads remote CSV/XLSX reference tables from Baidu-hosted domains. They are described as static data and not executable code, but remote file provenance still matters.
下载 Excel 编码表:`https://mapopen-website-wiki.cdn.bcebos.com/cityList/weather_abroad_district_id_20250904-1.xlsx`
Download reference tables only from the listed Baidu domains, verify the file source if using them in production, and do not execute macros or embedded content from spreadsheet files.
It may be harder to confirm that the package exactly matches the claimed official Baidu Maps repository.
The supplied registry metadata lists the source as unknown and version 1.0.7, while the included _meta.json/SKILL.md show version 1.0.5 and a different owner identifier. This is a provenance/version consistency note, not evidence of malicious behavior.
Source: unknown ... Version: 1.0.7
Before production use, verify the skill against the stated homepage or repository and confirm you are installing the intended version.