Back to skill
Skillv1.0.12
ClawScan security
tmap-test · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 12:47 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, docs, and required environment variable line up with a Tencent Maps LBS helper; nothing indicates covert exfiltration or unrelated credential access, though the docs/code can cause your API key to appear in generated URLs which you should handle carefully.
- Guidance
- This skill appears to be what it says: a Tencent Maps helper that uses one environment variable (TMAP_LBS_CONFIG) as its API key. Before installing, consider the following: (1) TMAP_LBS_CONFIG is your API key/config — keep it secret, restrict its referrers/quotas in Tencent console, and rotate it if exposed. (2) The references and examples sometimes include the key as a query parameter in returned links; confirm the agent will not expose your real key in messages or logs (prefer the agent to call the API and return results rather than returning a URL with key=YOUR_KEY). (3) The code uses global fetch/AbortSignal.timeout — ensure your runtime Node version supports fetch. (4) If you plan to share results publicly, do not include the key in shared URLs. If any of these are unacceptable, do not enable the skill or provide the key.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (node), required env var (TMAP_LBS_CONFIG), and provided functions (POI search, route planning, travel planner, trail visualization) are consistent with a Tencent Maps location-service skill.
- Instruction Scope
- noteRuntime instructions stay within mapping functionality and direct the agent to call Tencent Map web APIs. One notable inconsistency: many reference examples build and return URLs containing the API key (key=xxx) to the user, while other notes warn 'these keys can not be shared or logged.' Returning links that embed the key could leak the user's API key if shared; the agent should avoid exposing the key in public responses or logs.
- Install Mechanism
- okNo install spec (instruction-only) and only a small index.js present. No remote downloads or archive extraction. Requiring node is reasonable for the included JS code.
- Credentials
- okOnly a single env var is required (TMAP_LBS_CONFIG) which is proportional: it represents the Tencent location-service API key/config. No unrelated secrets or multiple credentials are requested.
- Persistence & Privilege
- okSkill is not force-included (always:false), doesn't request elevated platform privileges, and does not modify other skills or system-wide settings.