← Back to Skills Marketplace
641
Downloads
1
Stars
2
Active Installs
14
Versions
Install in OpenClaw
/install navclaw
Description
Smart driving — exhaustive route search, may outperform default navigation. 导航/自驾/极限避堵, dozens of routes. One-tap iOS/Android deep link. Supports 高德/Amap. 智能...
Usage Guidance
This package appears to do what it says: it queries Amap, generates route candidates, and can post results to Mattermost. Before installing: 1) Verify the source (the skill claims a GitHub repo but the registry metadata lists source/homepage as unknown — confirm the upstream repo and review it yourself). 2) Only provide an Amap API key and Mattermost bot token if you trust the code and host; prefer creating a bot account with minimal privileges and a dedicated Amap key. 3) Be aware the skill writes credentials into config.py (a plain file) and may add an entry to OpenClaw long-term memory; avoid storing secrets in long-term memory or broad-scope locations. 4) If you want minimal blast radius, run the tool locally (not letting the agent autonomously write config files), or inspect and run wrapper.py manually to control when messages/logs are uploaded. 5) If you need higher assurance, ask the publisher for an official homepage or signed release and/or perform a line-by-line audit of the bundled files (wrapper.py and navclaw.py) to confirm there are no unexpected network calls beyond Amap and configured Mattermost endpoints.
Capability Analysis
Type: OpenClaw Skill
Name: navclaw
Version: 1.0.3
The NavClaw skill bundle provides advanced navigation features but introduces a significant security risk through its configuration process. The instructions in SKILL.md and README.md direct the AI agent to write user-supplied sensitive data (Amap API keys and Mattermost tokens) directly into 'config.py', a Python file that is imported by the core logic in 'navclaw.py' and 'wrapper.py'. This creates a high risk of Remote Code Execution (RCE) via prompt injection, as a malicious user could provide an 'API key' containing Python code that would be executed upon the next run. While the behavior appears intended for legitimate configuration, the lack of input sanitization for a file that is later executed makes it highly vulnerable.
Capability Assessment
Purpose & Capability
NavClaw's described functionality (exhaustive routing using Amap, producing deep links, optional Mattermost posting) matches the code and runtime instructions. The Amap API key and optional Mattermost bot credentials are consistent with the stated features and are expected for the declared capabilities.
Instruction Scope
SKILL.md instructs the agent/operator to check memory for an Amap API key, prompt the user, and/or write the key (and optional Mattermost config) into config.py; it also instructs calling wrapper.py and possibly uploading logs or sending messages to Mattermost. These actions are in-scope for a navigation skill, but they involve writing/storing secrets and sending files/messages to an external chat server. The agent is also instructed to update OpenClaw long-term memory or MEMORY.md as an installation option, which grants persistent trigger capability if done.
Install Mechanism
There is no remote download/install step in the registry metadata; the package is instruction/code-bundle style with a small requirements.txt (requests). No third-party archive downloads or obscure URLs are used. Dependencies are minimal and proportional (only requests required).
Credentials
The registry lists no required env vars, and the skill expects users to populate API_KEY, MM_BASEURL, MM_BOT_TOKEN, and MM_CHANNEL_ID inside config.py. Those secrets are directly relevant: Amap key for routing queries and Mattermost token/URL/channel for message delivery. The number of credentials is appropriate for the feature set, but note they are stored in a config file (not environment variables).
Persistence & Privilege
The skill does not request 'always: true' and uses normal autonomous invocation. However, SKILL.md explicitly recommends adding triggers to OpenClaw long-term memory / MEMORY.md to make invocation convenient; doing so gives the skill persistent triggerability within your agent. That is expected for an agent skill but is a privileged persistence decision you should consciously allow or avoid.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install navclaw - After installation, invoke the skill by name or use
/navclaw - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
navclaw 1.0.3
- Updated English description for improved clarity.
- No code or functionality changes in this version.
v1.0.2
- Improved and clarified documentation for easier setup and usage.
- No functional or code changes; documentation update only.
v1.0.1
- Added bilingual (Chinese/English) documentation and descriptions for broader accessibility.
- Clarified product positioning in description, emphasizing exhaustive route search and one-tap mobile app navigation.
- Updated author and project information to stress open-source, community-driven nature.
- Minor improvements to documentation structure and wording for clarity.
v1.0.0
update docs and skill. remove weather and food function
v0.2.1
0.2.1 add more demos
v0.2.0
0.2.0 FIX on stability
v0.1.8
fix link length issues for ios and android
v0.1.7
fix mattermost issues
v0.1.6
v0.1.6 fix messages issues release: Your Personal AI Navi Assistant - AI Route planner with smart detour, iOS/Android deep links - currently support Amap Bonus toolbox: weather, POI search, geocoding, district query, etc. Currently supports Amap, more platforms coming- https://github.com/AI4MSE/NavClaw
v0.1.5
v0.1.5 fix release: Your Personal AI Navi Assistant - AI Route planner with smart detour, iOS/Android deep links - currently support Amap Bonus toolbox: weather, POI search, geocoding, district query, etc. Currently supports Amap, more platforms coming- https://github.com/AI4MSE/NavClaw
v0.1.4
v0.1.4 fix release: Your Personal AI Navi Assistant - AI Route planner with smart detour, iOS/Android deep links - currently support Amap Bonus toolbox: weather, POI search, geocoding, district query, etc. Currently supports Amap, more platforms coming- https://github.com/AI4MSE/NavClaw
v0.1.2
v0.1.2 release: Your Personal AI Navi Assistant - AI Route planner with smart detour, iOS/Android deep links - currently support Amap Bonus toolbox: weather, POI search, geocoding, district query, etc. Currently supports Amap, more platforms coming- https://github.com/AI4MSE/NavClaw
v0.1.1
v0.1.1 release: Your Personal AI Navi Assistant - AI Route planner with smart detour, iOS/Android deep links - currently support Amap Bonus toolbox: weather, POI search, geocoding, district query, etc. Currently supports Amap, more platforms coming- https://github.com/AI4MSE/NavClaw
v0.1.0
v0.1.0 Initial release: Your Personal AI Navi Assistant - AI Route planner with smart detour, iOS/Android deep links - currently support Amap - https://github.com/AI4MSE/NavClaw
Metadata
Frequently Asked Questions
What is NavClaw?
Smart driving — exhaustive route search, may outperform default navigation. 导航/自驾/极限避堵, dozens of routes. One-tap iOS/Android deep link. Supports 高德/Amap. 智能... It is an AI Agent Skill for Claude Code / OpenClaw, with 641 downloads so far.
How do I install NavClaw?
Run "/install navclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is NavClaw free?
Yes, NavClaw is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does NavClaw support?
NavClaw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created NavClaw?
It is built and maintained by AI4MSE (@ai4mse); the current version is v1.0.3.
More Skills