ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Map Search

v1.0.0

更适合中国体质宝宝的地图搜索工具,支持高德、百度、腾讯地图聚合搜索。

1· 750·8 current·8 all-time
by收藏夹1区@shoucangjia1qu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code and SKILL.md implement map search across Amap, Baidu, and Tencent and require Python and the requests library — that fits the stated purpose. However, the registry metadata at the top of the submission claims no required environment variables and no config paths, while both SKILL.md and map_search.py clearly require API keys (AMAP_API_KEY, BAIDU_MAP_API_KEY, TENCENT_MAP_API_KEY) and read a configuration file at ~/.config/openclaw/map_config.json. That mismatch is an incoherence worth flagging.
Instruction Scope
Runtime instructions are focused on keyword and nearby searches and only reference map APIs. The code reads ~/.config/openclaw/map_config.json (and falls back to env vars) and will call the official map provider endpoints. The nearby-location feature uses Amap's IP geolocation when no coordinates are provided, which sends your IP to Amap. Instructions suggest creating a system symlink (/usr/local/bin) and show examples using /root/.openclaw paths — these are normal for a CLI but require appropriate privileges and care.
Install Mechanism
There is no install spec and no remote downloads; this is an instruction-only skill with a locally included Python script. The only extra dependency is the 'requests' Python package (SKILL.md notes to pip install requests). No archive downloads or third-party installers were observed.
!
Credentials
Requesting API keys for Amap, Baidu, and Tencent is proportionate to an aggregator map tool. However, the submission's top-level metadata did not list these required environment variables while SKILL.md and the code do — this discrepancy could lead to silent failures or misconfiguration and should be clarified. The skill also reads a config file in the user's home directory (~/.config/openclaw/map_config.json) which was not declared in registry metadata.
Persistence & Privilege
The skill does not request elevated platform privileges (always is false) and does not modify other skills. The only persistence suggestion is an optional symlink into /usr/local/bin (requires admin privileges to create) to expose the script as a system CLI. No evidence of self-enabling, system-wide config modifications, or hidden background services was found.
What to consider before installing
This skill's code matches its description: it queries official Amap/Baidu/Tencent APIs and falls back to env vars or ~/.config/openclaw/map_config.json for API keys. Before installing: - Confirm the author/source (owner is unknown). Unknown-source skills carry higher risk. - Note that the registry metadata omitted required API keys and the config path; you should treat the config file (~/.config/openclaw/map_config.json) as sensitive because it will contain your provider API keys. - If you don't want a system-wide CLI, avoid creating the /usr/local/bin symlink (that requires root). Run the script from a user-controlled path instead. - The script uses Amap IP geolocation when coords are not supplied — this will send your IP to Amap if you rely on that feature. - Install 'requests' in a virtualenv or container first and review the map_search.py file yourself if you can. If you decide not to trust the unknown owner, run in an isolated environment or do not provide real API keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk9729a2pwetzzg3ty0xyjsf1ax81kxay

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗺️ Clawdis
Binspython3

Comments