Amap Search
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read your shell profile, terminal history, logs, or copied commands might see and use your Amap API key and consume your quota.
The skill needs a user-supplied Amap API key and suggests either command-line use or persistent shell-profile storage. This is expected for the advertised API integration, but it is credential handling users should notice.
export AMAP_API_KEY="你的API_KEY" ... echo 'export AMAP_API_KEY="你的API_KEY"' >> ~/.bashrc ... python3 gaode_map.py <命令> --key 你的API_KEY
Prefer environment-variable storage over repeatedly passing the key on the command line, keep shell profiles private, avoid sharing logs that contain the key, and rotate the key if exposed.
Addresses, coordinates, route endpoints, POI searches, and IP-location lookups may be sent to Amap and could reveal sensitive places or travel intent.
The script constructs HTTPS requests to Amap/Gaode endpoints with the API key and user-supplied map data such as addresses or coordinates. This is disclosed and purpose-aligned, but it is an external-provider data flow.
base_url = "https://restapi.amap.com/v3/geocode/geo" ... params: Dict[str, Any] = {"key": key, "address": address, "output": "json"}Use the skill only for location queries you are comfortable sending to Amap, avoid unnecessary sensitive home/work addresses, and review Amap account quota and privacy settings.