ClawHub
Back to skill
v1.0.0

Amap Traffic

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:24 AM.

Analysis

The skill appears purpose-aligned for Amap traffic routing; it uses an Amap API key and sends route/address data to Amap, with no deceptive or destructive behavior evident.

GuidanceThis appears safe to install for its stated purpose if you are comfortable providing an Amap API key and sending queried route/location information to Amap. Consider using a dedicated restricted API key and note that the documentation mentions AMAP_KEY while the script first checks an apiKey field in the skill config.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/amap_traffic.py
config_paths = ["/home/admin/.openclaw/openclaw.json", os.path.expanduser("~/.openclaw/openclaw.json")] ... amap_key = skill_config.get('apiKey') ... return os.environ.get("AMAP_KEY")

The script reads a local OpenClaw config file or environment variable to obtain the Amap API credential. This is disclosed and purpose-aligned, but it gives the skill access to a provider key and associated quota.

User impactThe skill can use your Amap API key when making traffic and route requests.
RecommendationUse a dedicated Amap key for this skill if possible, restrict it in the Amap console where supported, and rotate it if you suspect exposure.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/amap_traffic.py
url = "https://restapi.amap.com/v3/geocode/geo" ... params = {"address": address, "key": amap_key} ... url = "https://restapi.amap.com/v3/direction/driving"

The skill sends addresses, coordinates, route endpoints, and the API key to Amap's external API. This is necessary for the advertised mapping function, but users should recognize the external data boundary.

User impactYour queried addresses and routes may be processed by Amap according to its API and privacy policies.
RecommendationAvoid using the skill for highly sensitive locations unless sharing them with Amap is acceptable.