tmap-jsapi-gl-skill
v1.0.2腾讯地图 JavaScript GL(JSAPIGL)开发指南。适用于地图应用或者工具的编写。在编写、审查或调试使用腾讯地图 API的代码时应运用此技能。适用于涉及地图初始化、覆盖物展示、图层控制、事件处理、控件交互、可视化渲染、地图工具、检索、路线规划、查地址、行政区划、ip定位、几何计算、三维模型展示、性能优...
⭐ 0· 373·0 current·0 all-time
bytencent map@vajrabodhi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the contents: the package is a local developer guide + demos for Tencent Map JSAPI GL. The single required env var TMAP_JSAPI_KEY is consistent with needing an API key to load the JS library.
Instruction Scope
SKILL.md instructs the agent to consult the included docs and demos and to substitute {TMAP_JSAPI_KEY} into script URLs — that is appropriate. The SKILL.md also contains a line saying it should "automatically trigger" when users mention Tencent map topics; this is an operational trigger statement in the docs (not code) and could make the skill fire frequently if the platform honors it. The metadata includes "bins": [""] (an empty-string entry) which looks like a minor metadata oddity but does not alter runtime behavior.
Install Mechanism
No install spec and no code files to execute — instruction-only. This is the lowest-risk install profile.
Credentials
Only TMAP_JSAPI_KEY is declared (primaryEnv). That is proportional for a client-side map API. Some included demo HTML files contain hard-coded example API keys (e.g., OB4BZ-...), which are likely sample/demo keys; they are not declared in requires.env but they appear in the shipped examples. This is not an immediate security problem but be aware these embedded keys may be public/demo keys and do not replace your own key.
Persistence & Privilege
Skill does not request persistent/always-loaded status (always:false) and does not request special system-level path or credential access. Autonomous invocation is allowed by platform defaults but not elevated here.
Scan Findings in Context
[unicode-control-chars] unexpected: The regex scanner flagged unicode-control-chars inside SKILL.md (possible prompt-injection pattern). The visible SKILL.md appears normal; this could be a false positive or hidden control characters in the text. Recommend inspecting the raw SKILL.md for invisible bidi/control characters before trusting displayed content.
Assessment
This skill is essentially an offline reference + demos for Tencent Map JSAPI GL and legitimately needs only your TMAP_JSAPI_KEY. Before installing: (1) Inspect the raw SKILL.md for any hidden/unexpected characters (scanner found unicode-control-chars). (2) Do not paste highly privileged credentials into demos; provide a limited/rotatable JS API key with least privilege. (3) Note that example HTML files contain embedded demo keys — ignore them and use your own key. (4) The skill may be invoked automatically by topic matches (per the SKILL.md wording); if you want to avoid background activations, adjust invocation settings on your platform. Overall the package is coherent with its stated purpose.Like a lobster shell, security has layers — review code before you run it.
latestvk97a5dj8seyj196sw1d3ckk9r183j7ad
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnull
EnvTMAP_JSAPI_KEY
Primary envTMAP_JSAPI_KEY