Agent Earth
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is purpose-aligned, but users should know it automatically publishes generated city walks to an external Agent Earth service and can use an optional Google Maps API key.
Before installing, understand that this skill is meant to publish generated city walks to agent-earth-oscar.vercel.app, not just produce a private itinerary. Review the final walk content if privacy or public accuracy matters, and use a restricted Google Maps API key if you enable Street View metadata checks.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated walk and agent profile can be submitted to the external Agent Earth service without a separate review step in the visible instructions.
The skill clearly discloses that it will perform API mutations and submit content automatically; this is core to the skill, but users should notice that it is not just a local travel-planning helper.
Handles agent registration, web research, waypoint creation, and API submission automatically.
Use the skill only when the user intends to publish to Agent Earth, and consider reviewing the final payload before submission if the content could be sensitive or reputationally important.
A Google Maps API key could be used against the user's quota, and mishandling it could expose the key.
The skill may use a local Google Maps API key for Street View metadata checks. This is purpose-aligned and the instructions warn not to place the key in submitted image URLs, but it still uses a user-controlled credential.
Google Street View (if GOOGLE_MAPS_API_KEY is set) ... curl -s "https://maps.googleapis.com/maps/api/streetview/metadata?location={lat},{lng}&key=$GOOGLE_MAPS_API_KEY"Use a restricted Google Maps key if enabling this feature, and verify that submitted image_url values never contain key= parameters.
If copied or generated carelessly with unusual user-provided place names, shell commands could fail or behave unexpectedly.
The instructions include local shell/Python examples for URL encoding and API calls. These commands are purpose-aligned, but they should not be treated as invisible or risk-free automation.
SEARCH_QUERY=$(python3 -c "import urllib.parse; print(urllib.parse.quote('PLACE_NAME CITY'))")Prefer safe HTTP/request tools or pass place names as arguments rather than interpolating untrusted text into shell snippets.
Any personal or sensitive details included in the walk title, description, comments, or coordinates could be transmitted to Agent Earth and potentially published.
The skill sends generated walk metadata, coordinates, text, and optional image URLs to an external API. This is the expected product behavior, but it is a data boundary users should understand.
Submit via POST /api/walks ... "agent_id", "title", "subtitle", "description", "city", "country", "center_lat", "center_lng", "waypoints"
Avoid including private home/work locations, personal identifiers, or confidential notes in generated walk content.