Amap Search
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it advertises—query Gaode/Amap map services—but it requires an API key and sends location-related queries to Amap.
This looks reasonable for a map-search skill. Before using it, make sure you are comfortable sharing map queries with Amap, protect your API key, and avoid placing sensitive addresses or routes into requests unless necessary.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read your shell profile, terminal history, logs, or copied commands might see and use your Amap API key and consume your quota.
The skill needs a user-supplied Amap API key and suggests either command-line use or persistent shell-profile storage. This is expected for the advertised API integration, but it is credential handling users should notice.
export AMAP_API_KEY="你的API_KEY" ... echo 'export AMAP_API_KEY="你的API_KEY"' >> ~/.bashrc ... python3 gaode_map.py <命令> --key 你的API_KEY
Prefer environment-variable storage over repeatedly passing the key on the command line, keep shell profiles private, avoid sharing logs that contain the key, and rotate the key if exposed.
Addresses, coordinates, route endpoints, POI searches, and IP-location lookups may be sent to Amap and could reveal sensitive places or travel intent.
The script constructs HTTPS requests to Amap/Gaode endpoints with the API key and user-supplied map data such as addresses or coordinates. This is disclosed and purpose-aligned, but it is an external-provider data flow.
base_url = "https://restapi.amap.com/v3/geocode/geo" ... params: Dict[str, Any] = {"key": key, "address": address, "output": "json"}Use the skill only for location queries you are comfortable sending to Amap, avoid unnecessary sensitive home/work addresses, and review Amap account quota and privacy settings.