baidu-map-jsapi-gl
PassAudited by ClawScan on May 1, 2026.
Overview
This is a documentation-only Baidu Maps developer guide; the main things to notice are the expected map API key, external map-tile examples, and HTML snippets in sample code.
This skill appears safe to install as a reference-only guide. Before using generated code, restrict your Baidu Maps key, choose trusted HTTPS map providers, and sanitize any HTML inserted into map info windows or custom overlays.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated or configured map app may use your Baidu Maps key, which could affect quota or billing if exposed or unrestricted.
The skill declares a Baidu Maps API key requirement, which is expected for a Baidu Maps integration but is still a credential-like resource.
requires: env: BMAP_JSAPI_KEY ... primaryEnv: BMAP_JSAPI_KEY
Use a restricted Baidu Maps key, apply domain/IP or referer restrictions where available, separate dev and production keys, and avoid committing secrets unnecessarily.
If copied into an application, map users' browsers may contact third-party tile services and reveal tile coordinates, approximate viewport, IP address, and browser metadata.
The documentation includes examples for loading map tiles from third-party providers; this is expected for layer guidance but creates external provider traffic.
tileUrlTemplate: 'https://tile.openstreetmap.org/[z]/[x]/[y].png'
Use trusted HTTPS tile providers, review their privacy and usage terms, and avoid adding external layers unless the user specifically wants them.
If an agent copies this pattern with user-controlled or third-party POI data, the resulting web app could be vulnerable to HTML injection or XSS.
The sample custom overlay uses innerHTML with interpolated properties; this is a common UI pattern but can become unsafe if the values come from untrusted input.
div.innerHTML = `<img src="${this.properties.imgSrc}" /> ... <h4>${this.properties.title}</h4>`Prefer textContent or DOM APIs for untrusted values, sanitize any HTML that must be rendered, and review generated map overlay code before publishing.