ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

oo

v1.0.0

高德地图综合服务,支持POI搜索、路径规划、旅游规划、周边搜索和热力图数据可视化

0· 215·0 current·0 all-time
byyan zhang@zhangyanfe·duplicate of @vajrabodhi/test-tt-skill·canonical: @vajrabodhi/tmap-lbs-skill
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (高德地图 LBS: POI, routing, travel planning, heatmap) aligns with code, network endpoints (restapi.amap.com, a.amap.com, ditu.amap.com) and the single declared dependency (axios). No unrelated services or credentials are requested.
Instruction Scope
SKILL.md instructs the agent to parse user intent, prompt for an AMap API key when needed, call AMap Web Service APIs, construct map/heatmap URLs, and return links. It does not instruct reading arbitrary system files or exfiltrating data to unexpected endpoints.
Install Mechanism
Install spec only pulls the npm dependency axios (package.json matches). No downloads from untrusted URLs or extract/install of arbitrary binaries.
Credentials
The skill only requires an AMap Web Service key (primary credential). However, there is an inconsistency: registry and SKILL.md declare AMAP_WEBSERVICE_KEY as required, index.js accepts AMAP_WEBSERVICE_KEY or AMAP_KEY, but the CLI scripts (e.g., scripts/poi-search.js) explicitly check for process.env.AMAP_KEY and will exit if only AMAP_WEBSERVICE_KEY is set. This is an implementation mismatch (likely sloppy naming) rather than evidence of extra access.
Persistence & Privilege
The code reads/writes a local config.json in the skill directory to persist the webServiceKey. The skill does not request system-wide privileges nor modify other skills. Persisting the key to a local file is expected behavior but is persistent storage to be aware of.
Assessment
This skill appears to do exactly what it claims: use AMap Web Service APIs to search POIs, plan routes, generate travel plans, and build heatmap/map links. Before installing, consider: 1) The skill will need your AMap Web Service Key and can persist it to a local config.json file in the skill folder — only provide a key you trust storing locally. 2) There's a minor naming mismatch: CLI scripts check AMAP_KEY, while the registry/SKILL.md expect AMAP_WEBSERVICE_KEY (index.js accepts both). If you plan to run the included scripts, set AMAP_KEY (or both env vars) or modify the script to accept AMAP_WEBSERVICE_KEY. 3) Review the skill directory if you want to confirm where config.json is written. 4) Network calls go to official AMap domains; no other external endpoints were observed. If you need higher assurance, inspect the code yourself or run it in an isolated environment.
index.js:59
Environment variable access combined with network send.
!
index.js:14
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk977bnqt8p1056wefd6hhkny9182wmba

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvAMAP_WEBSERVICE_KEY
Primary envAMAP_WEBSERVICE_KEY

Install

Nodenpm i -g axios

Comments