ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mapbox Token Security

v1.0.0

Security best practices for Mapbox access tokens, including scope management, URL restrictions, rotation strategies, and protecting sensitive data. Use when...

0· 40·0 current·0 all-time
by@mapbox
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the included content: the files are guidance and checklists about Mapbox token types, scope management, URL restrictions, rotation, storage, and monitoring. The skill requests no binaries, env vars, installs, or credentials — appropriate for a documentation/consulting skill.
!
Instruction Scope
Most runtime instructions stay within scope (token scoping, URL restrictions, storage, rotation, monitoring). However, the incident-response guidance includes 'Immediate actions (first 15 minutes): 1. Revoke the token' which contradicts the zero-downtime rotation guidance elsewhere (which says create new token and revoke old only after verifying). That contradiction is operationally meaningful: following the 'revoke first' instruction can cause outages. There are also minor ambiguities (e.g., 'Log token usage' is recommended but elsewhere the docs warn 'Don't log tokens' — this is fine if interpreted as 'log usage metrics, not token values', but the wording could be misapplied).
Install Mechanism
Instruction-only skill with no install spec and no code to write to disk. Lowest install risk.
Credentials
The skill does not request any environment variables or credentials. Its recommendations to use environment variables and secret managers are appropriate and proportional to the stated purpose.
Persistence & Privilege
Skill is user-invocable, not always-on, and does not request system-level persistence or modify other skills. Normal privilege model.
What to consider before installing
This is documentation-level guidance about Mapbox token security that appears legitimate, but review and reconcile the conflicting instructions before using operationally: 1) Update incident-response steps to prefer 'create replacement and deploy/verify before revoking' when zero-downtime is required; reserve immediate revocation only for extreme emergency when compromise is certain and downtime acceptable. 2) Clarify 'log token usage' to ensure only usage metrics are logged (not token values). 3) Test rotation and emergency procedures in staging to validate they behave as expected. 4) Note the source is unknown—treat this as general guidance, and cross-check against Mapbox's official docs and your org's incident response policy before enacting. If you intend to automate any of these steps, have a clear playbook that specifies when to revoke immediately vs. rotate safely to avoid accidental outages.

Like a lobster shell, security has layers — review code before you run it.

latestvk979gbcj1vbhfx3c2h6q4q2n9n83zyw9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments