baidu-mapbox-isochrone

This skill appears to do what it says (convert Baidu coords, call Mapbox, save shapefiles and preview images), but there are several red flags you should consider before installing or running it: - Secrets handling: SKILL.md expects Baidu and Mapbox API keys stored in MEMORY.md but the skill metadata does not declare required credentials. Confirm where these keys will be read from and that you are comfortable storing them there. - Automatic outbound sends: The instructions require zipping outputs and sending both the preview image and the ZIP to a Feishu channel via the message tool. If you do not expect files (or credentials) to be transmitted to that channel, do not run the skill until this behavior is removed or clarified. Ensure the message tool/channel is one you control and trust. - Verify produced bundle: The ZIP will include shapefiles and the TIFF. Make sure no other sensitive files are placed in the output directory (default /root/.openclaw/workspace/isochrone_output) before running. - Review the script: Although the visible portion looks legitimate (calls Baidu, Mapbox, and ESRI/Mapbox tiles), the shipped Python script should be fully reviewed (the snippet is truncated in the manifest) to ensure it does not exfiltrate extra data or read unexpected local files. If you lack the ability to review code, run it in an isolated sandbox with test API keys. - Documentation mismatch: Ask the author to declare required credentials in the skill metadata (and to make automatic sending optional). Prefer skills that declare needed env vars and do not auto-push outputs to external channels without explicit user consent. Given these inconsistencies (undocumented secrets + mandatory automatic sending), treat the skill as suspicious until the above concerns are addressed or you run it in a safe, controlled environment.