Skillv1.0.21

ClawScan security

have-a-nice-day · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 5:25 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package implements Tencent Maps (LBS) functionality that mostly matches its docs and env requirements, but metadata/name mismatches and a few packaging/clarity issues make it worth caution before installing.
Guidance: This package appears to implement Tencent Maps APIs and only needs a single API key (TMAP_LBS_CONFIG) and node — that is coherent with its functionality. However: (1) the published skill slug/name ('have-a-nice-day') does not match the code/docs (tmap-lbs-skills), and the owner is unknown — a possible sign of sloppy packaging or repackaging; (2) you must treat TMAP_LBS_CONFIG (your API key) as sensitive: only set keys with restricted referrers/quotas, and do not share them publicly; (3) review the included index.js yourself (or run in an isolated/test environment) to confirm it only calls apis.map.qq.com and mapapi.qq.com as shown; (4) if you obtained this skill from an untrusted source, prefer an official SDK or a package from a known maintainer. If you want higher confidence, ask the publisher to explain the name/slug mismatch and provide a verifiable source (e.g., GitHub repo or official maintainer) before installing.

Review Dimensions

Purpose & Capability: noteThe code, SKILL.md, and reference files all implement Tencent 地图 (TMap) web-service functionality and require a single environment value TMAP_LBS_CONFIG and Node — these are proportionate to the described purpose. However the registry 'slug' / provided skill name (have-a-nice-day) does not match the SKILL.md/package.json name (tmap-lbs-skills), and the owner and source are unknown — this metadata/publishing mismatch is unexpected and reduces trust.
Instruction Scope: okSKILL.md instructs the agent to parse user intent, call Tencent map web APIs (geocoder, place search, direction, travel/trail pages), and return generated map links or structured results. The instructions reference only the mapping endpoints (apis.map.qq.com, mapapi.qq.com) and the TMAP_LBS_CONFIG key; they do not direct the agent to read unrelated system files, other environment variables, or send data to unknown third parties.
Install Mechanism: okThere is no install specification (no external downloads). The bundle includes index.js and docs; required binary is node which is appropriate for executing the included JS. No archived downloads, third-party installers, or unusual install steps are present.
Credentials: okOnly a single env var TMAP_LBS_CONFIG is declared and used. That matches the need for a Tencent Maps API key. The code reads and sets process.env.TMAP_LBS_CONFIG only within the process and does not attempt to access other credentials or config paths.
Persistence & Privilege: okThe skill does not request always:true, does not persist credentials to disk, and does not modify other skills' configurations. setConfig only writes to process.env in-memory. The skill can be invoked autonomously by default (platform normal), but it does not request elevated or persistent system privileges.