Back to skill
Skillv2.0.0
ClawScan security
Amap Search Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 12:40 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (calling Gaode/AMap web APIs) and do not request unrelated credentials or external endpoints, but there are minor metadata inconsistencies you should be aware of before using it.
- Guidance
- This skill appears to do what it says: call AMap/Gaode web APIs for POI, routing, weather and traffic. Before installing: (1) Be prepared to supply your own AMap API key (AMAP_API_KEY or pass --key); do not share that key publicly. (2) Note the registry metadata does not declare the AMAP_API_KEY requirement — treat that as a minor metadata bug and ensure you provide the key only to this skill. (3) The code uses only restapi.amap.com and Python stdlib, but you should still review the included scripts locally (they are small and readable) and run them in a sandbox if you have concerns. (4) The SKILL.md contains an unexplained AIGC metadata block with hex strings — unusual, but not an active instruction; you may ask the publisher what those fields represent. If you need higher assurance, request the publisher correct the metadata to list AMAP_API_KEY as a required credential and confirm the source/repository links before enabling autonomous invocation.
Review Dimensions
- Purpose & Capability
- okName/description promise POI/search/route/weather/traffic and the included Python scripts implement exactly those AMap REST API calls (geocode, place search, direction, weather, ip, traffic). There are no unrelated binaries or services requested. Minor inconsistency: the registry metadata lists no required env vars but both SKILL.md and the code recommend/expect an AMAP_API_KEY.
- Instruction Scope
- noteSKILL.md gives concrete CLI usage and recommends setting AMAP_API_KEY as an environment variable; runtime instructions are limited to calling AMap APIs and formatting results. The SKILL.md includes an AIGC metadata block with long hex-like strings (labeled ReservedCode1/2) that are unexplained in-document — unusual but not in itself an instruction to exfiltrate data. The instructions do not direct reading unrelated local files or posting data to third-party endpoints beyond restapi.amap.com.
- Install Mechanism
- okThere is no install spec and no network-download/install steps; this is effectively an instruction + script skill. The included Python scripts are plain, use the stdlib urllib, and do not download or execute remote code.
- Credentials
- noteThe only credential the skill needs is an AMap API key (AMAP_API_KEY or --key). That is proportionate to the described functionality. However the registry did not declare required env vars (none listed) while SKILL.md and gaode_map.py expect AMAP_API_KEY — this metadata omission is inconsistent and worth correcting before deployment.
- Persistence & Privilege
- okalways is false and the skill does not request permanent presence or modify other skills or system settings. It does network calls to AMap only and does not persist credentials beyond usual environment variable / CLI parameter usage.