by 安全扫描
OpenClaw
安全
high confidenceThe skill is internally consistent for creating and sharing maps via the Spatix API: it requires no secrets or unusual system access and its instructions focus on calling api.spatix.io and optionally installing an MCP helper package.
评估建议
This skill appears to do what it says: call api.spatix.io to create maps, geocode addresses, and upload datasets. Before installing or using it: (1) remember that any data you send (addresses, GeoJSON, CSV) is transmitted to Spatix and uploaded datasets may be public depending on the fields you set — avoid sending sensitive location data; (2) if you follow the SKILL.md suggestion to 'pip install spatix-mcp', review the package source and contents before installing; (3) if you need to manage or r...详细分析 ▾
✓ 用途与能力
The name/description (map creation, geocoding, GeoJSON/CSV visualization) matches the SKILL.md instructions, which show only HTTP calls to api.spatix.io and optional MCP helper installation. There are no unrelated required env vars, binaries, or config paths.
ℹ 指令范围
All runtime instructions are scoped to interacting with Spatix endpoints (map creation, geocoding, datasets, leaderboard). The skill does instruct agents to upload datasets and post map data to https://api.spatix.io (expected), so users should be aware that any uploaded location data or datasets will be transmitted to and may be visible via Spatix (public dataset examples and license fields are shown).
ℹ 安装机制
There is no registry install spec (instruction-only), which is low risk. The SKILL.md suggests an optional 'pip install spatix-mcp' or 'uvx spatix-mcp' for an MCP server; if a user follows that advice they should vet the package source before installing. The skill itself does not force installation of any code.
✓ 凭证需求
The skill declares no required env vars or credentials. It mentions optional non-secret display identifiers (SPATIX_AGENT_ID, SPATIX_AGENT_NAME) and an optional JWT for account-based higher rate limits—these are proportional to the stated functionality.
✓ 持久化与权限
always:false and no config paths or persistence are requested. The skill can be invoked autonomously by an agent (platform default), but it does not request elevated or persistent privileges beyond typical agent use.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/2/8
Security scan fixes: added auth docs, removed airdrop mention, fixed API accuracy, clarified agent_id/agent_name as display identifiers, fixed MCP config
● 可疑
安装命令
点击复制官方npx clawhub@latest install spatix
镜像加速npx clawhub@latest install spatix --registry https://cn.longxiaskill.com✓ 镜像可用