ClawHub
Skill blocked — malicious content detected

ClawHub Security flagged this skill as malicious. Downloads are disabled. Review the scan results below.

test-tt-skill

v1.1.32

腾讯地图位置服务,支持POI搜索、路径规划、旅游规划、周边搜索,轨迹数据可视化和地图数据可视化

0· 39·0 current·0 all-time
bytencent map@vajrabodhi·duplicate of @vajrabodhi/tmap-lbs-skill
MIT-0
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description describe Tencent Location Services and the package only requires node and TMAP_LBS_CONFIG; the code and docs call Tencent endpoints (apis.map.qq.com, mapapi.qq.com) and implement POI search, routing, travel planning and trail visualization — all consistent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to build URLs, call Tencent Web Service APIs (via curl or the included Node functions) and to ask the user to supply the API key. This stays within scope. Note: the docs explicitly show building URLs that include the API key (key=xxx) and advise to 'ignore' the exposure concern based on whitelisting — embedding a key in a URL can expose it if the link is shared, so that is a privacy/operational caution rather than a mismatch with purpose.
Install Mechanism
There is no install spec (instruction-only install), which minimizes installation risk. Code files (index.js and reference docs) are included but nothing in the package tries to fetch external install artifacts or run installers.
Credentials
Only one required env var (TMAP_LBS_CONFIG) is declared and used as an API key in index.js. That is proportionate to calling Tencent APIs. No unrelated credentials or config paths are requested.
Persistence & Privilege
The skill is not force-included (always: false) and does not request elevated privileges or to modify other skills. It can be invoked autonomously (platform default), which is expected for a functional skill.
Assessment
This skill appears to do exactly what it claims: it builds Tencent Maps API requests and returns links or structured results. Before installing, consider: (1) you must supply TMAP_LBS_CONFIG (an API key/config) — only add a key that you control and do not paste keys into public chat; (2) the docs and examples often include the key parameter in generated URLs. Sharing such links can leak your key even if services use whitelists, so prefer keys with limited permissions/quota and rotate them if leaked; (3) the skill makes outgoing HTTPS requests to apis.map.qq.com / mapapi.qq.com — if you need stricter auditing, review index.js (the network calls are visible and not obfuscated); (4) rate limits and quota apply to Tencent APIs, so avoid automated high-frequency calls. If you want lower risk, test with a throwaway/limited API key first.
index.js:2
Environment variable access combined with network send.
Critical security concern
These patterns indicate potentially dangerous behavior. Exercise extreme caution and review the code thoroughly before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9789yekztnaxqj3rg3q2j6yjh82p810

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvTMAP_LBS_CONFIG

Comments