Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Travel Mapify
v2.2.0Copy Xiaohongshu travel planning homework into interactive route maps with real FlyAI hotel search in seconds.
⭐ 0· 61·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md align with the stated purpose (image/text → POIs → Amap geocoding → interactive HTML map + FlyAI hotel search). However, the declared registry metadata lists no required env vars/credentials even though the skill depends on an Amap API key (via a local proxy) and the FlyAI CLI; that discrepancy is notable and unexplained in the registry metadata.
Instruction Scope
The runtime instructions and included scripts will: run OCR, call a local Amap proxy, try to auto-detect OpenClaw workspace and FlyAI executables (reading files like AGENTS.md / SOUL.md and scanning common Node paths), and automatically start HTTP and hotel-search servers (ports 9000 and 8770 by default). Those actions go beyond simple map generation and involve filesystem enumeration and opening network sockets on the user's machine.
Install Mechanism
There is no remote download/install step; the skill is a local Python bundle. That reduces supply-chain risk. Still, the package contains multiple scripts that will be executed locally and auto-start servers; there is no install spec but the code executes behavior when run.
Credentials
Registry metadata declares no required env vars/credentials, but the documentation and code expect an Amap API (via a local proxy) and a FlyAI CLI. The skill's config module also reads environment variables if present (OPENCLAW_WORKSPACE) and will search the user's filesystem for FlyAI. The requested/assumed access surface (local API key in proxy, access to local ports, ability to probe user home for workspace and Node installations) is larger than what the registry metadata communicates.
Persistence & Privilege
always:false and model invocation defaults are fine. The skill auto-starts local servers and updates HTML templates with dynamic ports; it does not declare forced persistent inclusion nor claims to modify other skills. Still, auto-starting servers and writing/serving HTML creates a persistent running process and network endpoints which the user should be aware of.
What to consider before installing
Before installing or running this skill, consider the following: (1) it expects an Amap Web API key (the skill uses a local proxy by default) and the FlyAI CLI — but the registry metadata does not declare these credentials, so you must supply and manage them yourself; (2) the scripts will scan common locations in your home directory to detect OpenClaw workspace files and FlyAI binaries (this is for convenience but reads parts of your filesystem), so review scripts/config.py and confirm you are comfortable with that behavior; (3) the skill will auto-start local HTTP servers (default ports 9000 and 8770), which opens network ports on your machine — run behind a firewall or in an isolated environment if you have concerns; (4) inspect the main runtime script (scripts/main_travel_mapify_enhanced.py) before executing to verify there is no unexpected network exfiltration or external endpoints beyond the described Amap proxy and local FlyAI; (5) run the skill first in a sandbox/container or VM, verify which files it writes and which ports it opens, and ensure your Amap API key is kept in the local proxy (not embedded in client-side HTML). If you want higher confidence, request the maintainer to: (a) declare required env vars/credentials in the registry metadata, (b) provide clearer minimal-scope configuration (avoid whole-home rglob scans), and (c) document exactly what files are written/served and what outbound network calls occur.Like a lobster shell, security has layers — review code before you run it.
geocodingvk972dsb1wp7na51kn3vg3qeyvn842bfjlatestvk975b4n5s2r5635hy5kr4gn63h84avrgmapsvk972dsb1wp7na51kn3vg3qeyvn842bfjocrvk972dsb1wp7na51kn3vg3qeyvn842bfjroutingvk972dsb1wp7na51kn3vg3qeyvn842bfjtravelvk972dsb1wp7na51kn3vg3qeyvn842bfj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.