Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
tencentmap-jsapi-gl-skill
v1.0.0腾讯地图 JavaScript GL(JSAPIGL)开发指南。适用于地图应用或者工具的编写。在编写、审查或调试使用腾讯地图 API的代码时应运用此技能。适用于涉及地图初始化、覆盖物展示、图层控制、事件处理、控件交互、可视化渲染、地图工具、检索、路线规划、查地址、行政区划、ip定位、几何计算、三维模型展示、性能优...
⭐ 0· 99·0 current·0 all-time
by腾讯开源@tencent-adm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the contents: the bundle is an instruction-only developer guide with many docs and demos for Tencent Map JSAPI-GL. The single required env var (TMAP_JSAPI_KEY) is appropriate for embedding the Tencent Maps script key. No unrelated binaries, installs, or unrelated credentials are requested.
Instruction Scope
SKILL.md instructs the agent to read the included docs and demos and return API explanations and code samples — this is within scope. However SKILL.md also states the skill should 'automatically trigger' when a user mentions Tencent map/jsapi — that grants broad activation intent (though registry flags do not force always:true). Additionally, a pre-scan detected unicode-control-chars in SKILL.md (possible prompt-injection attempt or hidden characters). Review the SKILL.md for invisible/control characters and any embedded directives before trusting autonomous behavior.
Install Mechanism
No install spec and no code files to execute; instruction-only skills are low-risk from install perspective. The demos load external scripts from map.qq.com (expected for Tencent Maps).
Credentials
Only one required environment variable (TMAP_JSAPI_KEY) declared as primary — appropriate and proportionate for a JS API key. Note: many demo HTML files included in the bundle contain hard-coded demo API keys (OB4BZ-...) which are likely public sample keys; they do not justify additional credentials but may cause confusion if copied into production.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide modifications. Autonomous invocation (disable-model-invocation:false) is the platform default; combine that with the SKILL.md's 'auto-trigger' wording and consider whether you want the agent to invoke this skill whenever map-related terms appear.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contains unicode control characters or other invisible characters flagged by the scanner. These can be used for prompt-injection or to alter parsing/behavior; this is not expected for a documentation-only skill and should be inspected manually. Could be false positive (e.g., Chinese punctuation/formatting), but treat as suspicious until reviewed.
What to consider before installing
What to check before installing:
- Inspect SKILL.md for invisible/control characters or unexpected instructions (the scanner flagged 'unicode-control-chars'). Remove or ask the author to justify them. Hidden characters can be used to manipulate parsing or agent prompts.
- Confirm you’re comfortable granting the skill access to your TMAP_JSAPI_KEY. Use a restricted API key (domain/referrer restricted, minimal permissions) rather than a broad-purpose key.
- Note the skill includes many demo HTML files containing public/demo keys (OB4BZ-...). Do not copy demo keys into production. Replace with your own restricted key.
- Decide whether you want the agent to auto-invoke this skill when map-related terms appear; if not, disable autonomous invocation or keep it user-invocable only.
- Because this is instruction-only, risk is limited to the content of the docs and the agent’s use of your key; still validate outputs and avoid exposing sensitive data through examples produced by the skill.
If you want, I can (1) show the SKILL.md with visible control characters highlighted, or (2) produce a sanitized quickstart template that replaces {TMAP_JSAPI_KEY} with a placeholder and notes recommended key restrictions.Like a lobster shell, security has layers — review code before you run it.
latestvk97bq4vepxax789371c1x5q91d83j24r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnull
EnvTMAP_JSAPI_KEY
Primary envTMAP_JSAPI_KEY