ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nearby Brunch Spots

v0.1.0

Find nearby brunch spots. Invoke when user asks for brunch near me.

0· 74·0 current·0 all-time
by@clawkk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with returning nearby brunch POIs. However, the skill does not declare where POI data should come from (no provider, API, or required credentials listed) and references STANDARD_RESPONSE.md which is not included — this gap makes it unclear what external access or secrets would actually be needed.
Instruction Scope
SKILL.md stays on-topic (expects lat/lng input, radius, filters, and defines response and error codes). It also contains privacy guidance (request consent, blur coords). But instructions are vague about how to obtain data: they don't specify allowed endpoints, APIs, or prohibited actions, so an agent could fallback to web-scraping, calling third-party APIs, or requesting API keys at runtime.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest installation risk. Nothing will be written to disk by an installer.
Credentials
The skill declares no environment variables or credentials, which is coherent if the platform supplies a POI provider. However, fetching POI data commonly requires e.g., Google/Mapbox/Here API keys; the absence of any declared credentials is a potential mismatch unless the runtime platform provides the service implicitly.
Persistence & Privilege
always is false and the skill does not request persistent system-wide changes. No indications it modifies other skills or agent configs.
What to consider before installing
This skill appears to do what it says (list nearby brunch spots) but leaves important runtime details unspecified. Before installing, ask the publisher or platform: (1) Where should the skill obtain POI data? Which provider(s) are allowed? (2) Is STANDARD_RESPONSE.md available in your environment or part of the platform schema? (3) If external APIs are used, what credentials will be required and how will they be stored? (4) Confirm the agent will not send precise coordinates to arbitrary third parties — ask for an allowlist of endpoints or an explicit data-flow description. If you cannot get those answers, treat the skill as risky because it could prompt you for API keys or call external services unexpectedly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d3htrkt54bch8rx18rxzvz983f9xe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments