Back to skill
Skillv1.0.3
ClawScan security
baidu-map-jsapi-gl · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 25, 2026, 6:49 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is a documentation-only Baidu Maps (BMapGL) developer guide that only requires a single Baidu JSAPI key and its files/instructions are consistent with that purpose.
- Guidance
- This skill is documentation for Baidu Maps JSAPI GL and only asks for a BMAP_JSAPI_KEY — that is expected. Before installing, confirm the skill's source (homepage is missing) and only provide a key that is restricted by allowed referrers/origins in the Baidu console. If you prefer tighter control, avoid giving long-lived keys: create a key with minimal scope, add referrer restrictions, and rotate/revoke it if you stop using the skill. Since the package is instruction-only, risk is low, but lack of a verifiable source reduces auditability — install only if you trust the publisher or after manual review of the files (which are included here).
Review Dimensions
- Purpose & Capability
- okName/description match the provided content; the only requested env var is BMAP_JSAPI_KEY which is appropriate for a JSAPI WebGL (BMapGL) integration guide. No unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md and the reference files are documentation and code examples only. They do not instruct the agent to read arbitrary local files, access unrelated environment variables, or transmit data to third‑party endpoints. There are no vague instructions granting broad discretion.
- Install Mechanism
- okNo install spec and no code to write or execute on the host (instruction-only). This is the lowest-risk installation model.
- Credentials
- noteOnly BMAP_JSAPI_KEY is required and declared as primaryEnv, which is proportional. As with any API key, the user should ensure the key is scoped/restricted (referrer/origin/domain restrictions in the Baidu console) and not reused elsewhere.
- Persistence & Privilege
- okalways:false (no forced global inclusion). disable-model-invocation is false (agent may invoke autonomously), which is the platform default and acceptable here. No indications the skill modifies other skills or system configs.