gpx-kml-visualizer
ReviewAudited by ClawScan on May 11, 2026.
Overview
The tool is mostly a normal GPS visualizer, but it unexpectedly bundles precise private route data and has a generated-HTML injection risk that users should review.
Review before installing. The core scripts appear aligned with GPX/KML visualization, but remove or ignore the bundled real track data, avoid sharing generated JSON/HTML without checking embedded coordinates and filenames, use trusted inputs, and prefer static/offline output for sensitive routes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who installs or inspects the skill can see a specific route and local path information, which may expose private location or account context.
The package includes a large GPS track dataset with precise coordinates and a local personal/WeChat file path. This is sensitive location/context data and is not needed for a generic visualizer skill.
"source_file": "D:\\个人资料\\xwechat_files\\jordanlu_248148580_586a\\msg\\file\\2026-05\\常州市_公路骑行20260511112818.gpx", ... "lat": 31.3971125, "lon": 119.4873602
Remove the bundled real track data or replace it with a small synthetic example. Avoid packaging user routes or local source paths with the skill.
If a user visualizes an untrusted or specially named track, the generated HTML map could execute unexpected script content when opened.
The generated HTML interpolates the source filename from the input JSON without HTML escaping. A crafted JSON or route filename containing HTML/JavaScript could run code when the generated map is opened in a browser.
source = Path(data["source_file"]).name ... <h3 style="margin: 0 0 8px 0; color: #333;">🗺️ {source}</h3>Escape all user-controlled values before inserting them into HTML, especially source filenames and metadata. Treat GPX/KML/JSON inputs from others as untrusted.
Opening an interactive route map may contact OpenStreetMap, Esri, or OpenTopoMap services for tiles related to the route location.
Interactive maps load external map tiles based on the route area. This is expected for the feature and disclosed in SKILL.md, but it can reveal approximate route location and the viewer's IP address to tile providers.
folium.Map(location=[center_lat, center_lon], zoom_start=14, tiles="OpenStreetMap") ... tiles="https://server.arcgisonline.com/..." ... tiles="https://{s}.tile.opentopomap.org/{z}/{x}/{y}.png"Use the static JPG option or an offline/local tile source for sensitive routes, and review generated HTML before sharing.
Installing dependencies may pull current package versions from the Python package index, which can vary over time.
The skill relies on public Python packages installed through an unpinned pip command and has no install spec or lockfile. These packages are purpose-aligned, but versions and provenance are not constrained.
pip install matplotlib numpy folium Pillow
Install in a virtual environment and consider pinning trusted package versions before use.