by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Before installing or running this skill:
- Verify you or your environment administrator have a trusted mcporter binary configured for the 'google-maps' MCP server; the script will run 'mcporter' locally via subprocess. The manifest does not declare this dependency, so confirm availability and trust manually.
- Confirm where the GOOGLE_MAPS_API_KEY is stored and that it is server-compatible (no browser referrer restrictions). The skill's metadata did not declare this required env var—treat this a...详细分析 ▾
ℹ 用途与能力
The skill claims to generate leads via a self-hosted 'google-maps' MCP server and the provided script and SKILL.md implement that flow by calling mcporter tools (maps_search_places, maps_place_details). That purpose is coherent with the code. However, the registry metadata lists no required binaries or env vars while both the SKILL.md and the script require a local 'mcporter' binary and SKILL.md expects a GOOGLE_MAPS_API_KEY precondition — a manifest mismatch.
ℹ 指令范围
SKILL.md gives a focused workflow (build queries, call maps_search_places, enrich with maps_place_details, export CSV/XLSX, optionally send file via message tool). It does not instruct reading unrelated system files. It does, however, refer to a required env var (GOOGLE_MAPS_API_KEY) and reliance on mcporter configuration; the script itself invokes mcporter via subprocess rather than reading the API key directly, which is reasonable but should be documented in the manifest.
⚠ 安装机制
There is no install spec (instruction-only), which is lower risk in general, but the code calls an external binary ('mcporter') via subprocess and requires openpyxl for XLSX output. The manifest did not declare mcporter as a required binary nor declare dependencies. Executing subprocess calls to an undeclared local binary increases risk if users are unaware and the binary is untrusted or misconfigured.
⚠ 凭证需求
SKILL.md explicitly requires a server-compatible GOOGLE_MAPS_API_KEY in the environment, but the registry metadata lists no required environment variables and no primary credential. That discrepancy is important: the skill does rely on credentials (or on mcporter to hold them), and the manifest should declare this so users can judge scope and trust. No unrelated credentials are requested, but the missing declaration is the issue.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills' configs, and is user-invocable. It can be invoked autonomously (platform default), which is normal; nothing else in the package requests elevated or persistent privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/2/12
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install google-maps-leadgen-skill
镜像加速npx clawhub@latest install google-maps-leadgen-skill --registry https://cn.longxiaskill.com