中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:18 小时前 重新扫描
5 /100
amap-location
高德地图服务(路径规划、POI 搜索)
Legitimate AMap (高德地图) location service skill with clean code, standard HTTP requests to documented API endpoints, and no suspicious behavior detected.
技能名称amap-location
分析耗时32.2s
引擎pi
可以安装
No action needed. The skill performs documented map services using standard Python libraries.

安全发现 1 项

严重性 安全发现 位置
低危
Hardcoded configuration path in documentation 敏感访问
SKILL.md references a specific config file path /home/thor/.openclaw/settings/amap.env. While not a code vulnerability, this exposes the expected location of API credentials.
source /home/thor/.openclaw/settings/amap.env
→ Consider using environment variable resolution without hardcoding paths in documentation
 SKILL.md:10
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 amap.py:21, static_map.py:29 - Only accesses restapi.amap.com
环境变量 READ READ ✓ 一致 amap.py:17, static_map.py:25 - Reads AMAP_API_KEY only
文件系统 NONE WRITE ✓ 一致 static_map.py:217 - Writes to configurable temp path (documented in SKILL.md)
2 项发现
🔗
中危 外部 URL 外部 URL
https://restapi.amap.com/v3
amap.py:21
🔗
中危 外部 URL 外部 URL
https://restapi.amap.com/v3/staticmap
static_map.py:29

目录结构

3 文件 · 21.7 KB · 733 行
Python 2f · 583L Markdown 1f · 150L
├─ 🐍 amap.py Python 269L · 8.7 KB
├─ 📝 SKILL.md Markdown 150L · 3.1 KB
└─ 🐍 static_map.py Python 314L · 9.9 KB

依赖分析 1 项

包名版本来源已知漏洞备注
Pillow * pip Standard image library for map generation

安全亮点

✓ Clean, readable Python code without obfuscation
✓ No shell execution, subprocess, or eval() calls
✓ Only accesses documented AMap API endpoints (restapi.amap.com)
✓ API key usage matches documentation - reads from environment only
✓ No credential harvesting or data exfiltration
✓ Standard urllib library for HTTP requests - no suspicious client behavior
✓ Image processing uses standard PIL library with clear purpose
✓ File writes limited to configurable temp output path
✓ Proper error handling with try/except blocks
✓ No hidden functionality - code matches stated purpose