ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Maps

v0.1.0

Google Maps tools via OneKey Gateway (geocode, places, distance matrix, elevation, directions).

0· 78·0 current·0 all-time
by@ai-hub-admin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Google Maps via OneKey Gateway) matches the included scripts and the declared dependency on a OneKey router. However the registry metadata listed 'required env vars: none' while SKILL.md and all scripts require DEEPNLP_ONEKEY_ROUTER_ACCESS — an inconsistency between metadata and the runtime instructions.
Instruction Scope
SKILL.md instructs installation of the OneKey CLI and a Python package and to set DEEPNLP_ONEKEY_ROUTER_ACCESS. The scripts only read that env var (with a demo fallback), build a OneKeyAgentRouter, invoke the specified maps_* api_id, and print JSON. They do not read other system files or unrelated env vars. Note: the scripts fall back to a shared demo key (BETA_TEST_KEY_MARCH_2026) if no key is set, which will send any queries to the OneKey provider.
Install Mechanism
No arbitrary downloads; installation is via pip (ai-agent-marketplace) and npm (@aiagenta2z/onekey-gateway). These are standard package installs (trackable via PyPI/NPM) and there is no extract-from-URL behavior present. Review the upstream package sources before installing.
Credentials
The only runtime secret required is DEEPNLP_ONEKEY_ROUTER_ACCESS, which is appropriate for a gateway-based integration. The inconsistency is that registry metadata omitted this required env var. Also the built-in fallback demo key means sensitive queries will be sent to the OneKey provider if the user does not supply their own key.
Persistence & Privilege
The skill does not request elevated persistence (always:false), does not modify other skills or system-wide settings, and is user-invocable. Autonomous invocation is allowed by default on the platform and is not in itself a new concern here.
What to consider before installing
This skill appears to be a straightforward wrapper that forwards requests to a OneKey Gateway which in turn calls Google Maps APIs. Before installing: - Confirm the registry metadata vs. SKILL.md mismatch: the skill requires DEEPNLP_ONEKEY_ROUTER_ACCESS even though the registry listed no env vars. - Do not rely on the demo fallback key (BETA_TEST_KEY_MARCH_2026) for sensitive queries — it sends your location/addresses to the OneKey provider. Provide your own gateway key if you trust the provider, or prefer a direct Google Maps API integration instead. - Review the upstream npm (@aiagenta2z/onekey-gateway) and PyPI (ai-agent-marketplace) packages and their homepages/source to ensure you trust those maintainers. - If privacy or data residency matters, ask the provider how request/response data is logged and retained by the OneKey gateway. If you want me to, I can fetch the package pages for the listed dependencies (npm/PyPI) and check their source/homepages for additional signal.

Like a lobster shell, security has layers — review code before you run it.

latestvk9769mdbnsb3y2qc0cha11n7x583crnf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments