Jlm Coffee
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may want to verify that the installed package matches the advertised GitHub project before relying on it.
The registry does not identify a verified source, and the SKILL.md frontmatter shows a different version value. This is a minor provenance/versioning note, not evidence of malicious behavior.
Source: unknown ... Version: 2.1.0 ... Homepage: https://github.com/alexpolonsky/agent-skill-jlm-coffee
If provenance matters, compare the installed files with the linked repository or install only from a trusted registry/source.
The agent may display stale, inaccurate, or user/community-supplied shop details, but the artifacts do not show private data collection or credential use.
The skill retrieves public third-party coffee-shop data and stores it briefly in a local temp cache. This supports the stated purpose, but the retrieved content should be treated as untrusted directory data.
DATA_URL = f"https://docs.google.com/document/d/{DOC_ID}/export?format=txt" ... CACHE_TTL = 900 ... CACHE_DIR = os.path.join(tempfile.gettempdir(), "jlm-coffee")Use the output as coffee-directory information only and verify important details such as opening hours before relying on them.