Description

Provides Git-like version control tools for ArcGIS web maps, enabling branch management, commits, diffs, and sync with ArcGIS Portal using the gitmap CLI.

README (SKILL.md)

GitMap Skill

Name: Git-Map
Author: 14-tr

Version control for ArcGIS web maps — exposed as native OpenClaw tools.

Overview

GitMap provides Git-like version control for ArcGIS Online and Enterprise Portal web maps. This skill wraps the gitmap CLI as thin subprocess calls, exposing branch, commit, diff, push/pull, and map discovery as callable tools.

8 tools | Thin CLI wrapper | No local database | Requires: gitmap-core Python package

Prerequisites

Install GitMap Core

pip install gitmap-core

Configure Credentials

Set the following environment variables:

export PORTAL_URL="https://your-org.maps.arcgis.com"
export ARCGIS_USERNAME="your_username"
export ARCGIS_PASSWORD="your_password"

Security Note: Prefer using scoped API tokens over plaintext passwords when possible.

Required environment variables

PORTAL_URL: Your ArcGIS Portal or AGOL URL (e.g., https://myorg.maps.arcgis.com)
ARCGIS_USERNAME: Portal username
ARCGIS_PASSWORD: Portal password (prefer scoped API tokens over plaintext passwords)

Tools

Discovery & Status

gitmap_list — List available web maps from Portal (with optional filters)
gitmap_status — Show working tree status for a local GitMap repo
gitmap_log — View commit history for a repo

Versioning

gitmap_commit — Commit current map state with a message
gitmap_branch — List or create branches in a repo
gitmap_diff — Show changes between commits or branches

Portal Sync

gitmap_push — Push committed changes to ArcGIS Portal
gitmap_pull — Pull latest map from ArcGIS Portal

Tool Reference

`gitmap_list`

Discover web maps in Portal.

gitmap_list(
    query=None,        # Search query (e.g., "title:MyMap")
    owner=None,        # Filter by owner username
    tag=None,          # Filter by tag
    max_results=50,    # Max results to return
    portal_url=None,   # Portal URL (or use PORTAL_URL env var)
    username=None,     # Portal username (or ARCGIS_USERNAME env var)
    password=None,     # Portal password (or ARCGIS_PASSWORD env var)
    cwd=None,          # Working directory (default: home)
)

`gitmap_status`

Show repo status.

gitmap_status(
    cwd,               # Path to GitMap repository (required)
)

`gitmap_commit`

Commit current changes.

gitmap_commit(
    message,           # Commit message (required)
    cwd,               # Path to GitMap repository (required)
    author=None,       # Override commit author
)

`gitmap_branch`

List or create branches.

gitmap_branch(
    cwd,               # Path to GitMap repository (required)
    name=None,         # Branch name to create (omit to list)
    delete=False,      # Delete the named branch
)

`gitmap_diff`

Show changes between versions.

gitmap_diff(
    cwd,               # Path to GitMap repository (required)
    branch=None,       # Compare with this branch
    commit=None,       # Compare with this commit hash
)

`gitmap_push`

Push changes to Portal.

gitmap_push(
    cwd,               # Path to GitMap repository (required)
    branch=None,       # Branch to push (default: current)
    portal_url=None,   # Portal URL
    username=None,     # Portal username
    password=None,     # Portal password
)

`gitmap_pull`

Pull changes from Portal.

gitmap_pull(
    cwd,               # Path to GitMap repository (required)
    branch=None,       # Branch to pull (default: current)
    portal_url=None,   # Portal URL
    username=None,     # Portal username
    password=None,     # Portal password
)

`gitmap_log`

View commit history.

gitmap_log(
    cwd,               # Path to GitMap repository (required)
    branch=None,       # Branch to show log for
    limit=None,        # Max commits to show
)

Usage Examples

Discover Maps and Clone

# Find maps owned by a user
gitmap_list(owner="john.doe", max_results=20)
# → returns table of maps with item IDs

# Then clone manually:
# cd ~/maps && gitmap clone \x3Citem_id>

Typical Edit → Commit → Push Loop

# Check what changed
gitmap_status(cwd="~/maps/MyWebMap")

# Commit changes
gitmap_commit(message="Updated layer symbology", cwd="~/maps/MyWebMap")

# Push to Portal
gitmap_push(cwd="~/maps/MyWebMap")

Feature Branch Workflow

# List branches
gitmap_branch(cwd="~/maps/MyWebMap")

# Create a feature branch
gitmap_branch(name="feature/new-basemap", cwd="~/maps/MyWebMap")

# After editing, commit and push feature branch
gitmap_commit(message="Added satellite basemap", cwd="~/maps/MyWebMap")
gitmap_push(cwd="~/maps/MyWebMap", branch="feature/new-basemap")

Review History

# Recent commits
gitmap_log(cwd="~/maps/MyWebMap", limit=10)

# What changed since main?
gitmap_diff(cwd="~/maps/MyWebMap", branch="main")

Server

HTTP server at localhost:7400 (when running):

python server.py

Endpoints:

POST /tools/{tool_name} — Call a tool with JSON body
GET /health — Health check

Installation

Install command:

pip install gitmap-core

The skill uses the gitmap_core Python package directly for API access.

Notes & Known Limitations

Working directory is required for most commands — GitMap repos are directory-based like Git.
Portal credentials can be passed per-call or via environment variables (PORTAL_URL, ARCGIS_USERNAME, ARCGIS_PASSWORD).
gitmap list doesn't require a local repo — it queries Portal directly.
Output is raw CLI text — parsed lightly for structured responses where possible. NOT implement clone, init,- This skill does merge, checkout, l, or setupsm, context-repos — call the CLI directly for those.

This skill appears to do what it claims (Git-like operations for ArcGIS), but there are a few practical risks to weigh before installing or running it: - Metadata mismatch: the registry lists no required environment variables, but the code and SKILL.md require PORTAL_URL, ARCGIS_USERNAME and ARCGIS_PASSWORD (or a scoped token). Treat that as an honest mismatch but verify you are comfortable providing these credentials. - Secrets handling: the tool may pass passwords as CLI flags ("--password"), which can expose them to other local users via process listings. Prefer using scoped API tokens, avoid plaintext passwords, and run this in an isolated environment (dedicated VM or container) if possible. - Local HTTP server + permissive CORS: server.py starts a localhost HTTP API and sets Access-Control-Allow-Origin: '*'. If you run the server, web pages in your browser could make requests to it (cross-origin) and trigger actions that use the stored credentials. If you must run the server, consider removing/limiting the CORS wildcard and only calling the server from trusted contexts. - Package provenance: SKILL.md recommends pip install gitmap-core. Before installing, review the gitmap-core package source (the SKILL.md links a GitHub URL; verify that matches the package on PyPI) and install in a virtual environment. - Least privilege: only provide the minimum credentials needed (scoped tokens over full passwords), and avoid setting credentials globally in your system environment; consider runtime injection or a secrets manager. Given these issues, proceed cautiously: verify the upstream gitmap-core project, prefer tokens, avoid running the server with the default CORS settings, or use the CLI directly rather than exposing a local HTTP API.

Capability Analysis

Type: OpenClaw Skill Name: gitmap Version: 0.1.3 The skill is classified as suspicious primarily due to a significant prompt injection vulnerability identified in `SKILL.md`. The documentation explicitly instructs the OpenClaw agent to 'call the CLI directly' for certain `gitmap` operations (e.g., `clone`, `init`), bypassing the skill's defined, parameterized tools. This instruction creates a direct attack surface, allowing an attacker to craft prompts that could lead the agent to execute arbitrary shell commands via `gitmap` CLI, potentially resulting in remote code execution or arbitrary file system manipulation. Additionally, the `tools.py` file uses `subprocess.run` with arguments directly derived from user input (e.g., `cwd`, `message`, `branch`) without explicit sanitization, which, while using `shell=False`, still presents a potential shell injection vulnerability if the underlying `gitmap` CLI has argument parsing flaws or if `cwd` is directed to sensitive locations.

Capability Assessment

ℹ Purpose & Capability

The name, description, and code match: this is a thin wrapper around a gitmap CLI / gitmap_core library to manage ArcGIS web maps. Requesting ArcGIS portal credentials and a working-directory makes sense for this purpose. However, the registry metadata claims no required environment variables while SKILL.md and the code clearly expect PORTAL_URL, ARCGIS_USERNAME and ARCGIS_PASSWORD (or tokens) — that's an inconsistency between declared metadata and actual requirements.

⚠ Instruction Scope

SKILL.md instructs the agent/user to set portal credentials and to install gitmap-core — expected. But the skill runs a local HTTP server (server.py) exposing endpoints that will call tool functions and it sets Access-Control-Allow-Origin: '*' (CORS wildcard). That combination allows any web page the user visits (or an attacker controlling a local browser context) to make cross-origin requests to the local server and trigger tool actions that may use environment credentials. The server also accepts username/password overrides in JSON body and the tools will use environment variables when present. This broad runtime discretion (accepting arbitrary cwd, portal_url, username, password via the API) increases the attack surface beyond the simple CLI wrapper description.

ℹ Install Mechanism

There is no install spec in the registry (instruction-only), and the SKILL.md asks users to pip install gitmap-core. No third-party download URLs or archive extraction are used by the skill files themselves. The install requirement (pip install gitmap-core) is expected for a Python wrapper, but you should verify the origin and trustworthiness of the gitmap-core package before installing.

⚠ Credentials

The skill requires portal credentials to function, which is reasonable for ArcGIS access — but the code passes passwords via CLI flags (--password) when calling the gitmap CLI. Command-line arguments can be visible to other local users via process listings and to tooling that captures process args, so passing secrets this way is insecure. Additionally, the subprocess invocations copy the entire os.environ into the child, potentially exposing unrelated environment variables to subprocesses. Finally, the registry claims no required env vars while the runtime depends on PORTAL_URL, ARCGIS_USERNAME, and ARCGIS_PASSWORD (or tokens).

✓ Persistence & Privilege

The skill is not marked always:true, does not modify other skills, and only runs a local HTTP server bound to localhost. It does not request system-wide persistence beyond running a process when executed. The server prints logs to stdout but does not alter system or agent config files.

Version History

v0.1.3

Remove Discord references from docs

v0.1.2

Fix: remove internal channel IDs from docs

v0.1.1

Fix: use pip install gitmap-core, declare required env vars, remove local path dependencies

v0.1.0

Fix: corrected skill name

v1.0.0

Initial release of GitMap skill for ArcGIS web map version control. - Provides 8 OpenClaw-native tools for Git-like version control of ArcGIS Online/Portal web maps through the gitmap CLI. - Tools include: map discovery, status, commit, branch management, diff, push, pull, and viewing commit logs. - Requires prior installation of the gitmap CLI and configuring ArcGIS Portal credentials. - No local database; operates on directory-based repositories. - Most commands operate on a working directory; output is primarily raw CLI text. - Clone, init, merge, and some other advanced features must be run directly via the CLI.

Metadata

Slug gitmap

Version 0.1.3

License —

All-time Installs 0

Active Installs 0

Total Versions 5

Frequently Asked Questions

What is Git-Map?

Provides Git-like version control tools for ArcGIS web maps, enabling branch management, commits, diffs, and sync with ArcGIS Portal using the gitmap CLI. It is an AI Agent Skill for Claude Code / OpenClaw, with 759 downloads so far.

How do I install Git-Map?

Run "/install gitmap" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Git-Map free?

Yes, Git-Map is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Git-Map support?

Git-Map is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Git-Map?

It is built and maintained by TR (@14-tr); the current version is v0.1.3.

More Skills

Git-Map