Jlm Coffee
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: jlm-coffee Version: 2.1.0 The OpenClaw skill 'jlm-coffee' is a benign utility for searching Jerusalem coffee shops. It fetches data from a single, hardcoded public Google Docs URL (https://docs.google.com/document/d/1BfsXKQLbKjogfSebRr0Ixt4L4VJHqPqTfnWxkosvcuM/export?format=txt) using `urllib.request`. The `SKILL.md` provides clear instructions without any prompt injection attempts. The `jlm-coffee.py` script uses only Python standard libraries, stores temporary cache files in `tempfile.gettempdir()`, and processes user input safely without any shell injection vulnerabilities or dynamic code execution. There is no evidence of data exfiltration, persistence mechanisms, or other malicious behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may want to verify that the installed package matches the advertised GitHub project before relying on it.
The registry does not identify a verified source, and the SKILL.md frontmatter shows a different version value. This is a minor provenance/versioning note, not evidence of malicious behavior.
Source: unknown ... Version: 2.1.0 ... Homepage: https://github.com/alexpolonsky/agent-skill-jlm-coffee
If provenance matters, compare the installed files with the linked repository or install only from a trusted registry/source.
The agent may display stale, inaccurate, or user/community-supplied shop details, but the artifacts do not show private data collection or credential use.
The skill retrieves public third-party coffee-shop data and stores it briefly in a local temp cache. This supports the stated purpose, but the retrieved content should be treated as untrusted directory data.
DATA_URL = f"https://docs.google.com/document/d/{DOC_ID}/export?format=txt" ... CACHE_TTL = 900 ... CACHE_DIR = os.path.join(tempfile.gettempdir(), "jlm-coffee")Use the output as coffee-directory information only and verify important details such as opening hours before relying on them.