📦 Mapbox Token Security — 令牌安全

v1.0.0

指导如何安全使用 Mapbox 访问令牌，涵盖作用域管理、URL 限制、轮换策略及敏感数据保护，防止滥用与泄露。

0· 78·0 当前·0 累计

by @mapbox (Mapbox)

安全 API工具云服务

下载技能包

最后更新

2026/3/31

安全扫描

VirusTotal

无害

查看报告

OpenClaw

可疑

medium confidence

The skill is largely coherent and appropriate for Mapbox token security, but the runtime instructions contain at least one contradictory/operationally risky recommendation (immediate revoke on compromise) that could cause downtime—review before relying on it.

评估建议

This is documentation-level guidance about Mapbox token security that appears legitimate, but review and reconcile the conflicting instructions before using operationally: 1) Update incident-response steps to prefer 'create replacement and deploy/verify before revoking' when zero-downtime is required; reserve immediate revocation only for extreme emergency when compromise is certain and downtime acceptable. 2) Clarify 'log token usage' to ensure only usage metrics are logged (not token values). ...

详细分析 ▾

✓ 用途与能力

Name and description match the included content: the files are guidance and checklists about Mapbox token types, scope management, URL restrictions, rotation, storage, and monitoring. The skill requests no binaries, env vars, installs, or credentials — appropriate for a documentation/consulting skill.

⚠ 指令范围

Most runtime instructions stay within scope (token scoping, URL restrictions, storage, rotation, monitoring). However, the incident-response guidance includes 'Immediate actions (first 15 minutes): 1. Revoke the token' which contradicts the zero-downtime rotation guidance elsewhere (which says create new token and revoke old only after verifying). That contradiction is operationally meaningful: following the 'revoke first' instruction can cause outages. There are also minor ambiguities (e.g., 'Log token usage' is recommended but elsewhere the docs warn 'Don't log tokens' — this is fine if interpreted as 'log usage metrics, not token values', but the wording could be misapplied).

✓ 安装机制

Instruction-only skill with no install spec and no code to write to disk. Lowest install risk.

✓ 凭证需求

The skill does not request any environment variables or credentials. Its recommendations to use environment variables and secret managers are appropriate and proportional to the stated purpose.

✓ 持久化与权限

Skill is user-invocable, not always-on, and does not request system-level persistence or modify other skills. Normal privilege model.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/31

mapbox-token-security v1.0.0 - Initial release providing best practices and guidelines for Mapbox access token security. - Covers token types (public, secret, temporary) and recommended usage scenarios. - Details scope management, including least privilege and scope combos for common tasks. - Explains how to set up URL restrictions and secure storage/handling for different token types. - Includes a comprehensive security checklist and references for rotation, monitoring, and incident response. - Lists clear situations for using this skill during development, audit, and incident workflows.

● 无害

安装命令

点击复制

官方npx clawhub@latest install mapbox-token-security

镜像加速npx clawhub@latest install mapbox-token-security --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库