ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

gcoord - 中国地图坐标系转换

v1.1.0

Use when converting coordinates between WGS84, GCJ02, BD09, BD09MC, or WebMercator coordinate systems for Chinese map services (Baidu, Amap, Google China, etc.)

1· 98·0 current·0 all-time
by@zhyt1985
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included code: index.js implements coordinate conversions using the gcoord npm package. Minor mismatch: SKILL.md and metadata list no required binaries, but the runtime assumes node is available (index.js is invoked with `node`).
Instruction Scope
SKILL.md confines runtime behavior to parsing user input, asking the user for missing parameters, and invoking the included index.js to perform conversions. It does not instruct reading unrelated files, sending data to external endpoints, or accessing environment secrets.
Install Mechanism
No install spec (instruction-only) and code files are included. package-lock.json references gcoord resolved from registry.npmmirror.com (an npm mirror). There are no download-from-arbitrary-URL installs or extract steps in the skill manifest.
Credentials
The skill requests no environment variables, credentials, or config paths. The code likewise does not read env vars or secrets.
Persistence & Privilege
always is false, the skill doesn't request persistent/system-wide changes, and it does not modify other skills or agent-wide configurations.
Assessment
This skill appears to do exactly what it says: convert coordinates using the gcoord npm library. Before installing, ensure the agent environment has Node.js (index.js is invoked with `node`; package.json lists node >=16.11.0 in the dependency entry), and be prepared to run `npm install` (the package-lock references the npmmirror registry — a common mirror, but if you prefer the official registry you can run installation against registry.npmjs.org). There are no requested credentials or external endpoints and tests only run the local CLI. If you operate in a restricted environment, verify Node availability and dependency installation policy; otherwise this skill is internally coherent and low-risk.
test/test.js:9
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

chinavk977y0cs7pb0v416y1w4cwmx8n83e865coordinatevk977y0cs7pb0v416y1w4cwmx8n83e865gisvk977y0cs7pb0v416y1w4cwmx8n83e865latestvk977y0cs7pb0v416y1w4cwmx8n83e865mapvk977y0cs7pb0v416y1w4cwmx8n83e865

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments