tmap-lbs-skill
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent for Tencent Maps search, routing, and visualization, but users should trust the npm CLI package, protect their Tencent Maps API key, and understand that location data is sent to Tencent map services.
Before installing, make sure you trust the @tencent-map/lbs-skills npm package and Tencent Maps service. Use a scoped or temporary Tencent Maps API key if available, do not expose the raw key in chat or logs, and avoid using private GPS trails or sensitive route data unless you are comfortable sharing them with the external map service.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may install and run an external CLI on the user's machine.
The skill's functionality depends on an external npm package that installs the tmap-lbs executable; this is expected for the map-service purpose but is still a package provenance point users should notice.
node | package: @tencent-map/lbs-skills | creates binaries: tmap-lbs
Install only if you trust the package source and publisher; keep the package updated through normal trusted package-management channels.
The API key can consume the user's Tencent Maps quota and should be treated like a secret.
The skill requires a Tencent Maps Web Service key and can store it through the CLI; the instructions appropriately say not to output the key value, but the key is still account-linked authority.
requires:\n env: TMAP_WEBSERVICE_KEY\n...\n1. 先通过 `tmap-lbs config get-key` 检查是否已配置 Key,只输出是否有,不要输出 Key 值\n...\n- `tmap-lbs config set-key <your-key>`
Use a limited or temporary Tencent Maps key where possible, do not share the raw key in outputs, and rotate it if it is exposed.
Private route, GPS, or travel data could become visible to the external visualization service or anyone with access to the generated link.
Trail visualization embeds a user-provided data URL into a Tencent Maps web page and suggests previewing it, which is purpose-aligned but may disclose route or GPS data to an external map page.
tmap-lbs trail --data <数据URL> ... https://mapapi.qq.com/web/claw/trail-map.html?data={编码后的数据地址} ... 点击链接即可查看轨迹图展示,同时直接预览这个网页。Use non-sensitive or intentionally shared trail data URLs, and avoid generating previews for private location datasets unless you are comfortable sharing them with the map service.