📦 Mapbox MCP Runtime Patterns — Mapbox运行时集成

v1.0.0

汇总在AI应用与智能体框架中集成Mapbox MCP Server的典型模式，涵盖pydantic-ai、mastra、LangChain及自定义运行时的接入方案，帮助开发者快速调用地图与位置服务。

0· 71·0 当前·0 累计

by @mapbox (Mapbox)

开发工具 API工具智能体云服务

下载技能包

最后更新

2026/3/31

安全扫描

VirusTotal

无害

查看报告

OpenClaw

可疑

medium confidence

The skill's documentation and examples match its stated purpose (Mapbox MCP integration), but the package omits declaring required credentials and contains instructions that launch external code (npx / npm) and sets agent system prompts — mismatches that merit caution before install.

评估建议

This package appears to contain legitimate Mapbox MCP integration patterns and runnable examples, but there are a few mismatches and operational risks to consider before using it: - Credentials: The manifest lists no required env vars, but examples and SKILL.md require MAPBOX_ACCESS_TOKEN (and many examples also reference OPENAI_API_KEY and HF_TOKEN). Do not run examples until you confirm which tokens are needed and provide them securely (use least-privilege tokens, rotate them, and avoid pasti...

详细分析 ▾

ℹ 用途与能力

The name/description and the included example code all focus on integrating Mapbox MCP Server into agents (pydantic-ai, LangChain, Mastra, smolagents, CrewAI). That capability is coherent with the stated purpose. However, the registry metadata declares no required environment variables or primary credential even though the SKILL.md and examples clearly require MAPBOX_ACCESS_TOKEN (and sample workflows also reference OPENAI_API_KEY and HF_TOKEN). The omission of required env vars in metadata is an inconsistency.

⚠ 指令范围

SKILL.md and example files instruct running either the hosted MCP endpoint or self-hosting via `npm install` / `npx @mapbox/mcp-server`, and multiple code examples spawn child processes (subprocess.Popen, spawn) and write to process stdin/stdout. Those runtime actions are within the general scope of self-hosting MCP, but they allow executing code fetched from npm at runtime and give the agent/installer the option to run arbitrary packages. The instructions also embed system prompts (e.g., agent system_prompt strings) which can change agent behavior — expected for agent patterns but flagged by the pre-scan as a prompt-injection signal.

ℹ 安装机制

There is no install spec in the registry (instruction-only), which is low-risk by itself. However, the documentation and examples rely on npm/npx to install or run `@mapbox/mcp-server` (and suggest `npm install` in TypeScript examples). Running `npx` will fetch and execute code from the npm registry at runtime — a legitimate self-host option but a higher-risk install pattern if used without verification. No downloads from unknown hosts or URL shorteners are present; the hosted endpoint references mapbox.com.

⚠ 凭证需求

The skill declares no required env vars or primary credential, but SKILL.md and multiple examples clearly require MAPBOX_ACCESS_TOKEN for MCP and also reference OPENAI_API_KEY and HF_TOKEN in examples. Requiring API tokens for Mapbox (and optionally LLM/HuggingFace keys in examples) is expected for the stated purpose — but the metadata failing to declare these credentials is an incoherence and increases the chance a user will run examples without realizing sensitive tokens are required. Ensure tokens are provided with least privilege and not hard-coded.

✓ 持久化与权限

always:false and normal model invocation semantics. The skill does not request forced persistence or system-wide configuration changes in the manifest. Example code starts local processes (self-hosting) but does not attempt to modify other skills' configurations.

⚠ examples/typescript/langchain-example.ts:26

Environment variable access combined with network send.

⚠ examples/typescript/mastra-example.ts:24

Environment variable access combined with network send.

⚠ references/production.md:167

Prompt-injection style instruction pattern detected.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/31

- Initial release of mapbox-mcp-runtime-patterns skill. - Provides integration patterns for Mapbox MCP Server with popular AI frameworks including pydantic-ai, mastra, LangChain, and custom agents. - Explains distinctions between offline geospatial tools and Mapbox API-powered tools, with usage guidance. - Details best practices for cost, performance, and security in production AI applications. - Includes references for setup (hosted/self-hosted), and pointers to detailed integration guides for various agent frameworks. - Ideal for teams building AI-powered apps that require geospatial capabilities.

● 无害

安装命令

点击复制

官方npx clawhub@latest install mapbox-mcp-runtime-patterns

镜像加速npx clawhub@latest install mapbox-mcp-runtime-patterns --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库