ClawHub

Amap Traffic

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward AMap traffic and route-planning skill that uses an AMap key and sends route locations to AMap as expected.

Install this only if you are comfortable providing an AMap API key and sending queried addresses or route endpoints to AMap. Use a dedicated restricted API key where possible, keep the OpenClaw config file private, and avoid submitting highly sensitive home, work, or private locations unless that sharing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill metadata declares only an environment requirement, but the documentation explicitly states the implementation reads a local configuration file and calls external AMap APIs. This mismatch weakens permission transparency and can lead users or platforms to grant or review the skill under incomplete assumptions about file access and network behavior.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The documentation says the skill repeatedly reads `AMAP_KEY` from a local config file at runtime, which involves handling sensitive credentials from disk without any warning or guidance on secret exposure risks. In context this is not overtly malicious, but it increases the chance of accidental credential leakage, overbroad file access, or unsafe logging/debugging practices around the key.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
User-supplied addresses are transmitted to a third-party AMap geocoding service, which can expose sensitive location data such as home, work, or travel plans. Although this is necessary for the feature, the script provides no meaningful consent, privacy notice, or data-minimization control at the point of use, so users may unknowingly disclose personal information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal