Back to skill
Skillv1.0.2
ClawScan security
tmap-lbs-service · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:11 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, declared requirements, and runtime instructions are consistent with a Tencent Maps (TMap) Web Service integration and only ask for a single API config value and the node runtime.
- Guidance
- This skill is internally consistent for calling Tencent Map Web Services: it will send the TMAP_LBS_CONFIG value (your API key/config) to Tencent endpoints (apis.map.qq.com / mapapi.qq.com / map.qq.com). Only provide a key you trust and, if possible, restrict it by referrer/quota in the Tencent console. The skill requires Node and uses fetch — ensure your runtime supports global fetch or the environment provides it. If you need extra assurance, review index.js yourself (it's included) before enabling the skill and avoid sharing the API key with others.
Review Dimensions
- Purpose & Capability
- okThe name/description describe map/POI/route/visualization features and the package implements HTTP calls to Tencent map endpoints. Requested binary (node) and the single env var TMAP_LBS_CONFIG (an API key/config) are appropriate for this purpose.
- Instruction Scope
- okSKILL.md and references direct the agent to parse user intents, call the included index.js functions, or construct Tencent map URLs. The runtime instructions only reference the included reference files and Tencent map domains; they do not ask the agent to read unrelated system files or transmit data to non-Tencent endpoints.
- Install Mechanism
- okThere is no install spec and the code is delivered in the skill bundle (instruction + index.js). Nothing is downloaded from arbitrary URLs or written to the system outside the skill’s files.
- Credentials
- okThe skill requests one env var (TMAP_LBS_CONFIG) consistent with needing an API key. No unrelated secrets or multiple credential types are requested. The code reads this env var and uses it only to call Tencent map APIs.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system-wide settings, and only manipulates process.env at runtime. It does not persist credentials to disk or require elevated privileges.