by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to do what it says (convert Baidu coords, call Mapbox, save shapefiles and preview images), but there are several red flags you should consider before installing or running it:
- Secrets handling: SKILL.md expects Baidu and Mapbox API keys stored in MEMORY.md but the skill metadata does not declare required credentials. Confirm where these keys will be read from and that you are comfortable storing them there.
- Automatic outbound sends: The instructions require zipping outp...详细分析 ▾
⚠ 用途与能力
The skill claims to convert Baidu BD-09 → WGS84 and call Mapbox isochrone — that matches the included script. However, SKILL.md tells the agent to read Baidu AK and Mapbox AK from MEMORY.md but the skill declares no required env vars or credentials. The skill also mandates sending outputs via a 'feishu' message channel even though no Feishu credentials or channel setup are declared. These mismatches mean required capabilities/credentials are not documented in the metadata.
⚠ 指令范围
SKILL.md instructs the agent to run scripts, zip all generated artifacts and then automatically send a preview image and the ZIP package to a Feishu channel via the message tool (the doc marks this as 'must execute'). That is broader than simply producing files: it causes automatic outbound transfer of generated files (and potentially any other files placed in the output dir). The instructions also reference MEMORY.md as the source of API keys, giving the skill implicit access to stored secrets. The 'automatic send' requirement is an operational decision that may be undesirable/unexpected for users.
✓ 安装机制
No install spec is provided (instruction-only with a bundled Python script). That minimizes additional install-time risk; the Python script will run when invoked and pulls remote tiles/APIs at runtime. No off-repo downloads or installers are specified in skill metadata.
⚠ 凭证需求
The skill needs two API keys (Baidu AK and Mapbox AK) according to SKILL.md, but it does not declare required environment variables or primary credentials. Instead it expects those keys in MEMORY.md (agent memory). This is an inconsistency: the skill requires secrets but does not document them as required env vars. Also the automatic sending to Feishu implies the agent must have messaging/channel credentials configured — again not declared. The lack of declared credentials makes it hard to reason about what the skill will access/send.
✓ 持久化与权限
always is false and the skill is user-invocable (normal). There is no installer or configuration that attempts to persistently modify other skills or elevate privileges. Note: autonomous invocation is allowed by platform default — combined with the automatic-send instructions this increases the impact surface, but the skill itself does not request persistent 'always' inclusion.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.32026/4/7
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install baidu-mapbox-isochrone
镜像加速npx clawhub@latest install baidu-mapbox-isochrone --registry https://cn.longxiaskill.com