Skillv1.0.0

ClawScan security

Live Location Mapper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 2:34 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions roughly match its stated purpose (mapping Douyin live streams), but there are important mismatches and privacy/credential concerns that need clarification before installation.
Guidance: This skill appears to do what it says (find Douyin live streams and plot them on Baidu maps) but has important gaps and privacy implications. Before installing: (1) Ask the publisher to add the Baidu Maps API key (AK) to the skill metadata (requires.env / primary credential) instead of pasting keys into chat, and provide details how keys are stored/used. (2) Request the source or at least a vetted code example — the provided Python snippets contain bugs and aren't safe to run as-is. (3) Consider Douyin terms and streamer privacy: collecting and plotting inferred streamer locations may violate platform policies or privacy norms. (4) Do not supply high-privilege API keys; create a scoped/test AK with minimal quota and monitor usage. (5) If you need payment/monetization (1 USDT per use), ask how payments are processed and why it is mentioned in SKILL.md. These clarifications would likely move the assessment from suspicious toward benign.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes searching Douyin and using the Baidu Maps API (AK) to geocode and render static maps, which aligns with the name/description — however the package metadata declares no required environment variables or primary credential while the instructions explicitly require a Baidu Maps API Key. The README also mentions a per-use price (1.0 USDT) but the skill metadata provides no payment integration. These omissions are incoherent with the skill's stated needs.
Instruction Scope: concernRuntime instructions tell the agent to open Douyin search pages, record live account names and location descriptions, call Baidu Maps APIs with an API key, and download static images. The instructions require collecting location descriptions of streamers (privacy-sensitive) and rely on an API key not declared in the registry. The guidance for estimating crowd sizes is vague (open-ended), which could grant broad discretion. There are also coding errors in the example snippets (broken image-download code and variable reuse), indicating low-quality/untested instructions.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk or fetched during install. That reduces install-surface risk.
Credentials: concernThe instructions require a Baidu Maps API Key (AK) to function, but requires.env and primary credential fields are empty in registry metadata. Requesting a network API key for mapping is proportionate to the purpose, but failing to declare it in metadata prevents automated secrets handling and review; providing an API key to an unvetted/instruction-only skill risks key leakage. No other unrelated credentials are requested.
Persistence & Privilege: okThe skill does not request always: true and is user-invocable only. It does not declare writes to system config or persistent privileges. Autonomous invocation is allowed by default but not by itself a red flag here.