oo
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Amap map-service skill that uses an Amap API key and external map links as expected, with minor credential-storage, data-sharing, and dependency-provenance cautions.
Before installing, be comfortable providing an Amap Web Service key and sending map/search/route data to Amap. Use a dedicated API key, protect any local config.json file, and avoid using private data URLs for heatmap visualization.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the local config file may be able to use the user's Amap API key and quota.
The skill reads an Amap API key from the environment or local config, can save it locally, and includes it in requests to Amap APIs. This is expected for the integration, but it is credential handling.
let key = process.env.AMAP_KEY || process.env.AMAP_WEBSERVICE_KEY; ... config.webServiceKey = key; ... const response = await axios.get(url, { params: requestParams });Use a dedicated Amap key with limited permissions/quotas, prefer environment variables when possible, and avoid sharing the skill directory if config.json contains a key.
Future dependency resolution could install a newer axios release than the one reviewed.
The skill depends on axios using a semver range, so installs may resolve to later compatible versions. This is common and purpose-aligned for HTTP API calls, but not fully pinned.
"dependencies": { "axios": "^1.13.6" }Install from a trusted registry and consider using a lockfile or pinned dependency version in controlled environments.
If the data URL contains private, signed, or internal information, it may be exposed when the visualization link is opened.
The heatmap feature embeds a user-provided data URL into an Amap-hosted visualization link. This is part of the stated visualization purpose, but opening the link can disclose the data URL to the external map page.
http://a.amap.com/jsapi_demo_show/static/openclaw/heatmap.html?mapStyle={地图风格}&dataUrl={数据地址(URL编码)}Only use public or intentionally shareable data URLs for heatmaps, and avoid embedding secrets or private signed links.