Amap Navigation
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: amap-navigation Version: 1.0.0 The skill bundle is benign. It provides navigation, POI search, and taxi estimation functionalities using the AMap API. All network calls are directed to the AMap base URL, and API keys are correctly handled via environment variables. There is no evidence of prompt injection attempts in SKILL.md or README.md, nor any malicious code for data exfiltration, unauthorized execution, or persistence. The demo scripts (`nearby_demo.js`, `route_demo.js`) are clearly marked as such and use mock data, posing no risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You must provide an Amap API key for real use, and that key will be used when making map API requests.
The skill documentation requires a provider API key, while the registry metadata lists no required env vars or primary credential.
AMAP_API_KEY=your_api_key_here
Use a dedicated Amap Web Service key with provider-side restrictions where possible, and avoid sharing the key outside your local environment.
Your entered addresses or coordinates may be sent to Amap or to whatever AMAP_BASE_URL is configured.
The route-planning script sends the API key and user-provided origin/destination data to the configured Amap API endpoint, which is expected for navigation but worth user awareness.
url.searchParams.set('key', AMAP_API_KEY); url.searchParams.set('origin', originLoc); url.searchParams.set('destination', destLoc);Only use this skill for locations you are comfortable sending to the map provider, and keep AMAP_BASE_URL set to the official Amap endpoint unless you intentionally use a trusted proxy.