Jlm Coffee
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a benign coffee-shop lookup tool that fetches public directory data and caches it briefly, with only minor provenance and untrusted-data notes.
This appears safe to install for coffee-shop lookup use. Expect it to contact a public Google Docs export and write a temporary cache; treat the returned shop details as public, possibly stale information and verify key details before acting on them.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may want to verify that the installed package matches the advertised GitHub project before relying on it.
The registry does not identify a verified source, and the SKILL.md frontmatter shows a different version value. This is a minor provenance/versioning note, not evidence of malicious behavior.
Source: unknown ... Version: 2.1.0 ... Homepage: https://github.com/alexpolonsky/agent-skill-jlm-coffee
If provenance matters, compare the installed files with the linked repository or install only from a trusted registry/source.
The agent may display stale, inaccurate, or user/community-supplied shop details, but the artifacts do not show private data collection or credential use.
The skill retrieves public third-party coffee-shop data and stores it briefly in a local temp cache. This supports the stated purpose, but the retrieved content should be treated as untrusted directory data.
DATA_URL = f"https://docs.google.com/document/d/{DOC_ID}/export?format=txt" ... CACHE_TTL = 900 ... CACHE_DIR = os.path.join(tempfile.gettempdir(), "jlm-coffee")Use the output as coffee-directory information only and verify important details such as opening hours before relying on them.