ClawHub

mapbox

v1.0.0

Build, debug, and integrate Mapbox apps and APIs, including Mapbox GL JS map setup, styles, sources/layers, markers/popups, geocoding, directions, static ima...

1· 120·0 current·0 all-time
by@jvy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Mapbox integration, GL JS, styles, geocoding, directions) match the SKILL.md and the included reference patterns. There are no unexpected required binaries, install steps, or unrelated environment variables declared.
Instruction Scope
The SKILL.md and references are narrowly focused on Mapbox usage, debugging, and migration. It instructs the agent to read the included references/patterns.md and to use environment/runtime config for tokens. One small caution: examples show both process.env (server-side) and import.meta.env/VITE_MAPBOX_ACCESS_TOKEN (frontend build-time) — the latter can expose public tokens if used incorrectly. Overall the instructions do not ask the agent to read unrelated system files or exfiltrate data.
Install Mechanism
Instruction-only skill with no install spec and no code files that would be written to disk; lowest-risk install footprint.
Credentials
The skill does not declare any required env vars or credentials. The examples reference MAPBOX_ACCESS_TOKEN and VITE_MAPBOX_ACCESS_TOKEN, which is appropriate for Mapbox tasks, but users should ensure secret tokens stay server-side and public tokens are properly restricted (allowed URLs/scopes).
Persistence & Privilege
always is false and the skill does not request persistent system changes. agents/openai.yaml allows implicit invocation (normal default); combined with the lack of requested credentials or installs, this is not a meaningful risk here.
Assessment
This skill appears coherent and Mapbox-focused. Before installing or using it: (1) don't paste real secret tokens into chat — provide scoped public tokens or use server-side tokens when possible; (2) verify any sample code uses environment/runtime configuration rather than hardcoding tokens; (3) if you plan to let the agent run autonomously, be aware the skill is allowed implicit invocation (default) but it doesn't request extra credentials or install code; (4) restrict Mapbox tokens by allowed URLs/scopes in the Mapbox dashboard and rotate tokens if you accidentally expose them.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dg0tde13wqh9nwqm22smbm583b4as

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗺️ Clawdis

Comments