ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Map Grabber

v1.1.2

Fetch OpenStreetMap vector data (streets, buildings) for an address and export to SVG, GeoPackage, or DXF for CAD/Rhino.

0· 722·3 current·3 all-time
byAddinCui@qrost
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included files: the script uses osmnx to geocode and download OSM streets/buildings and can export SVG/PNG/GPKG/DXF. Required libraries (osmnx, optional ezdxf) are appropriate and proportional to the stated functionality.
Instruction Scope
SKILL.md explicitly instructs the agent to run the included script via shell exec when the user requests a map and to send generated PNGs from allowed media dirs. This is in-scope for the feature, but the instructions assert 'Do not ask for confirmation' — note this gives the agent permission to run the script immediately when triggered. The script will perform network calls (osmnx -> Nominatim/Overpass) to geocode and fetch OSM data, which is expected but has privacy implications for sensitive addresses.
Install Mechanism
There is no automated install spec; the SKILL.md asks the user to run pip install -r requirements.txt. No downloads from arbitrary URLs or archive extraction are present. This is a low-risk, transparent approach.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportional: mapping and OSM access do not require secrets. The requirements.txt lists osmnx and ezdxf as expected.
Persistence & Privilege
always is false and model invocation is permitted (the platform default). The skill does not request persistent system-level privileges or modify other skills. The primary runtime action is running a local script on user request.
Assessment
This skill appears to do what it says: it runs a local Python script that uses osmnx to geocode and download OpenStreetMap data and export images/files. Before installing, consider: (1) you must pip install osmnx (and its heavy geopandas dependencies) — that can be nontrivial on some systems; (2) the script will send the provided address to OSM geocoding/Overpass services (privacy risk for sensitive locations); (3) the SKILL.md directs the agent to execute the script without asking for extra confirmation when you ask for a map—if you prefer confirmations, change that behavior; (4) outputs must be written to allowed media dirs (/tmp or ~/.openclaw/media/) for sending via chat; (5) the code is short and readable, but if you have high security/privacy requirements, review or run it in an isolated environment before adding to a production agent.

Like a lobster shell, security has layers — review code before you run it.

latestvk971xvd92zhahkh01r5thbjwkn81kz1x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments