ClawHub
Back to skill
v1.0.0

tencentmap-jsapi-gl-skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:18 AM.

Analysis

Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.

GuidanceInstall this if you want Tencent Maps JSAPI GL reference help. Before using generated code, provide your own restricted Tencent Maps API key, replace any hardcoded demo key, and remember that browser examples load Tencent-hosted scripts and may send map/search/location requests to Tencent services. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
<script src="https://map.qq.com/api/gljs?v=3&key={TMAP_JSAPI_KEY}"></script>

The quick-start template loads Tencent's hosted JavaScript SDK. This is expected for a browser map API guide, but it means resulting pages execute third-party SDK code.

User impactApplications built from the examples will contact Tencent Maps and load Tencent-hosted JavaScript/assets in the browser.
RecommendationOnly use the SDK from trusted Tencent domains, review version choices, and disclose external map-service calls in applications that process location data.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
requires": { "bins": [""], "env": ["TMAP_JSAPI_KEY"] }, "primaryEnv": "TMAP_JSAPI_KEY"

The skill expects a Tencent Maps API key. This is proportionate for a Tencent Maps development guide, but it is still a credential that can affect quota, billing, or account attribution.

User impactIf the user supplies a Tencent Maps key, generated examples may rely on that key to call Tencent Maps services.
RecommendationUse a restricted Tencent Maps key, limit allowed domains/services where possible, and avoid pasting the key into public repositories.
Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
references/jsapigl/demos/地图操作示例_销毁地图.html
src="https://map.qq.com/api/gljs?v=1.exp&key=OB4BZ-D4W3U-B7VVO-4PJWW-6TKDJ-WPB77"

A reference demo embeds a concrete Tencent Maps API key instead of the SKILL.md placeholder. This is visible and appears to be demo material, but copied code could unintentionally reuse that key.

User impactUsers or agents copying directly from demos may include a hardcoded key rather than their own controlled key.
RecommendationReplace demo keys with `{TMAP_JSAPI_KEY}` or another user-controlled restricted key before using generated code.