Skills
skills/openclaw/skills/amap-lbs-skill/Snyk

amap-lbs-skill

Fail

Audited by Snyk on Mar 8, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). Insecure: the skill asks the user to provide their AMap API key and demonstrates embedding it verbatim into curl URLs, command-line args and config files (e.g., ?key={用户的key} and node index.js your_key), which requires the LLM to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). This skill directly calls AMap public web APIs (e.g., https://restapi.amap.com/* in index.js and scripts) and accepts user-supplied data URLs for heatmap generation (a.amap.com with dataUrl), parses the returned JSON POI/geocode results, and uses those results to plan routes and generate map tasks—so external, public third-party content is ingested and can materially influence tool use and next actions.
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 8, 2026, 07:43 AM