ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Map Address Query

v0.1.0

Map service address lookup and distance-query workflow. MUST use this skill when the user asks for coordinates (坐标), latitude/longitude, POI locations (e.g.,...

0· 97·0 current·0 all-time
by@scottkiss
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (geocode, distance, Tencent Location Service) align with the included CLI and usage instructions. Requiring a Tencent Location Service key is expected; no unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md stays within mapping tasks: it instructs downloading a CLI, creating a home config (~/.qq_map_cli_config.json), and using the CLI for geocoding and distance queries. It does instruct persisting the user's Tencent key globally in their home config (expected for usability) but otherwise does not ask to read unrelated files or exfiltrate data.
Install Mechanism
The included script downloads a zip from a GitHub releases URL and unzips it into scripts/bin (then marks the binary executable). GitHub releases is a common host, but extracting and running a downloaded binary is an elevated-risk action; the behavior is coherent with the stated purpose but worth auditing before running.
Credentials
No required env vars are declared by the registry metadata. The tool accepts a Tencent API key via --key, config file, or QQ_MAP_KEY which is proportionate to the service it integrates with. There are no unrelated secrets requested.
Persistence & Privilege
Skill is not always-enabled and does not request system-wide changes beyond writing a config file in the user's home directory (~/.qq_map_cli_config.json) and placing a binary in the skill's scripts/bin folder. It does not modify other skills or system settings.
Assessment
This skill appears to do what it says: it downloads a third-party CLI from a GitHub release to query Tencent's Location Service and asks you to store your Tencent API key in ~/.qq_map_cli_config.json or an env var. Before installing or running: (1) verify the GitHub repository and release (scottkiss/qq-map-cli) and, if available, check release checksums or source code; (2) prefer supplying the minimum-scoped Tencent key and store it in an environment variable or secure store rather than committing it into project files; (3) be aware that running a downloaded binary can run arbitrary code — if you can't validate the binary, consider implementing equivalent calls directly to Tencent's API from audited code instead. If you want higher assurance, ask the publisher for source/build reproducibility or a checksum for the release artifacts.

Like a lobster shell, security has layers — review code before you run it.

latestvk97650x2phwjn2r65w877edzan838pqk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments