amap-lbs-skill Security Report — Trusted | ClawSafe

5 /100

amap-lbs-skill

高德地图综合服务，支持POI搜索、路径规划、旅游规划、周边搜索和热力图数据可视化

Legitimate Amap (高德地图) LBS service skill with properly declared capabilities and no security issues detected.

Skill Nameamap-lbs-skill

Duration33.2s

Enginepi

✓

Safe to install

No action required - the skill is safe to use.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	index.js:17-35 config.json read/write
Network	`READ`	`READ`	✓ Aligned	index.js:66-95 axios calls to restapi.amap.com
Shell	`NONE`	`NONE`	—	No subprocess/exec usage found
Environment	`READ`	`READ`	✓ Aligned	index.js:51-53 reads AMAP_KEY, AMAP_WEBSERVICE_KEY only
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	Generates URLs only, no browser control
Database	`NONE`	`NONE`	—	No database access

24 findings

🔗

Medium External URL 外部 URL

https://lbs.amap.com/api/webservice/summary

SKILL.md:13

🔗

Medium External URL 外部 URL

https://lbs.amap.com/api/webservice/create-project-and-key

SKILL.md:40

🔗

Medium External URL 外部 URL

https://www.amap.com/search?query=

SKILL.md:76

🔗

Medium External URL 外部 URL

https://www.amap.com/search?query=美食

SKILL.md:93

🔗

Medium External URL 外部 URL

https://www.amap.com/search?query=酒店

SKILL.md:94

🔗

Medium External URL 外部 URL

https://www.amap.com/search?query=天安门

SKILL.md:95

🔗

Medium External URL 外部 URL

https://www.amap.com/search?query=加油站

SKILL.md:96

🔗

Medium External URL 外部 URL

https://lbs.amap.com

SKILL.md:140

🔗

Medium External URL 外部 URL

https://restapi.amap.com/v3/geocode/geo?address=

SKILL.md:148

🔗

Medium External URL 外部 URL

https://ditu.amap.com/search?query=

SKILL.md:181

🔗

Medium External URL 外部 URL

https://restapi.amap.com/v3/geocode/geo?address=西直门&output=JSON&key=xxx

SKILL.md:200

🔗

Medium External URL 外部 URL

https://ditu.amap.com/search?query=美食&query_type=RQBXY&longitude=116.353138&latitude=39.939385&range=1000

SKILL.md:202

🔗

Medium External URL 外部 URL

http://a.amap.com/jsapi_demo_show/static/openclaw/heatmap.html?mapStyle=

SKILL.md:227

🔗

Medium External URL 外部 URL

https://a.amap.com/Loca/static/loca-v2/demos/mock_data/hz_house_order.json

SKILL.md:248

🔗

Medium External URL 外部 URL

http://a.amap.com/jsapi_demo_show/static/openclaw/heatmap.html?mapStyle=grey&dataUrl=https%3A%2F%2Fa.amap.com%2FLoca%2Fs...

SKILL.md:256

🔗

Medium External URL 外部 URL

https://lbs.amap.com/

SKILL.md:424

🔗

Medium External URL 外部 URL

https://lbs.amap.com/api/webservice/guide/api-advanced/newpoisearch

SKILL.md:426

🔗

Medium External URL 外部 URL

https://lbs.amap.com/api/webservice/create-project-and-key\n

index.js:69

🔗

Medium External URL 外部 URL

https://restapi.amap.com/v5/place/text

index.js:90

🔗

Medium External URL 外部 URL

https://restapi.amap.com/v3/direction/walking

index.js:126

🔗

Medium External URL 外部 URL

https://restapi.amap.com/v3/direction/driving

index.js:162

🔗

Medium External URL 外部 URL

https://restapi.amap.com/v4/direction/bicycling

index.js:202

🔗

Medium External URL 外部 URL

https://restapi.amap.com/v3/direction/transit/integrated

index.js:239

🔗

Medium External URL 外部 URL

https://a.amap.com/jsapi_demo_show/static/openclaw/travel_plan.html

index.js:273

File Tree

8 files · 37.4 KB · 1220 lines

JavaScript 4f · 766L Markdown 1f · 426L JSON 3f · 28L

├─ ▾ 📁 scripts

│ ├─ 📜 poi-search.js JavaScript 99L · 3.1 KB

│ ├─ 📜 route-planning.js JavaScript 179L · 6.4 KB

│ └─ 📜 travel-planner.js JavaScript 82L · 2.7 KB

├─ 📋 _meta.json JSON 5L · 133 B

├─ 📋 config.example.json JSON 3L · 55 B

├─ 📜 index.js JavaScript 406L · 11.0 KB

├─ 📋 package.json JSON 20L · 492 B

└─ 📝 SKILL.md Markdown 426L · 13.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`axios`	`^1.13.6`	npm	No	Version range specified with caret - consider pinning to exact version

Security Positives

✓ API key access is scoped to specifically named variables (AMAP_KEY, AMAP_WEBSERVICE_KEY), not iterating through all env vars

✓ Network requests target only legitimate Amap API domains (restapi.amap.com)

✓ No credential exfiltration or data leakage detected

✓ No obfuscation techniques (base64, eval, etc.)

✓ No remote script execution (curl|bash, wget|sh)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)

✓ Dependencies pinned to specific versions (axios ^1.13.6)

✓ No hidden functionality or shadow features

✓ Configuration stored locally in config.json as documented

✓ Scripts use safe argument parsing (process.argv) without shell execution

Scan Report

File Tree

Dependencies 1 items

Security Positives