Skillv1.0.2

ClawScan security

tmap-jsapi-gl-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 25, 2026, 8:05 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only Tencent Maps JSAPI-GL developer guide that only requires a single API key (TMAP_JSAPI_KEY) and its files and instructions align with that purpose; no disproportionate installs, extra credentials, or persistence were found.
Guidance: This skill is essentially an offline reference + demos for Tencent Map JSAPI GL and legitimately needs only your TMAP_JSAPI_KEY. Before installing: (1) Inspect the raw SKILL.md for any hidden/unexpected characters (scanner found unicode-control-chars). (2) Do not paste highly privileged credentials into demos; provide a limited/rotatable JS API key with least privilege. (3) Note that example HTML files contain embedded demo keys — ignore them and use your own key. (4) The skill may be invoked automatically by topic matches (per the SKILL.md wording); if you want to avoid background activations, adjust invocation settings on your platform. Overall the package is coherent with its stated purpose.
Findings: [unicode-control-chars] unexpected: The regex scanner flagged unicode-control-chars inside SKILL.md (possible prompt-injection pattern). The visible SKILL.md appears normal; this could be a false positive or hidden control characters in the text. Recommend inspecting the raw SKILL.md for invisible bidi/control characters before trusting displayed content.

Review Dimensions

Purpose & Capability: okName/description match the contents: the package is a local developer guide + demos for Tencent Map JSAPI GL. The single required env var TMAP_JSAPI_KEY is consistent with needing an API key to load the JS library.
Instruction Scope: noteSKILL.md instructs the agent to consult the included docs and demos and to substitute {TMAP_JSAPI_KEY} into script URLs — that is appropriate. The SKILL.md also contains a line saying it should "automatically trigger" when users mention Tencent map topics; this is an operational trigger statement in the docs (not code) and could make the skill fire frequently if the platform honors it. The metadata includes "bins": [""] (an empty-string entry) which looks like a minor metadata oddity but does not alter runtime behavior.
Install Mechanism: okNo install spec and no code files to execute — instruction-only. This is the lowest-risk install profile.
Credentials: noteOnly TMAP_JSAPI_KEY is declared (primaryEnv). That is proportional for a client-side map API. Some included demo HTML files contain hard-coded example API keys (e.g., OB4BZ-...), which are likely sample/demo keys; they are not declared in requires.env but they appear in the shipped examples. This is not an immediate security problem but be aware these embedded keys may be public/demo keys and do not replace your own key.
Persistence & Privilege: okSkill does not request persistent/always-loaded status (always:false) and does not request special system-level path or credential access. Autonomous invocation is allowed by platform defaults but not elevated here.