ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

spots

v0.2.0

Exhaustive Google Places search using grid-based scanning. Finds ALL places, not just what Google surfaces.

1· 2.3k·5 current·5 all-time
byDreetje@foeken

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for foeken/spots.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "spots" (foeken/spots) from ClawHub.
Skill page: https://clawhub.ai/foeken/spots
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install spots

ClawHub CLI

Package manager switcher

npx clawhub@latest install spots
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (exhaustive Google Places/grid scanning) legitimately requires a Google Places + Geocoding API key, and the SKILL.md reflects that. However, the registry metadata lists no required environment variables or primary credential, which is inconsistent with the runtime instructions that say to export GOOGLE_PLACES_API_KEY.
!
Instruction Scope
The SKILL.md tells the agent/user to run a local binary (~/projects/spots/spots) or install via `go install github.com/foeken/spots@latest` and to export GOOGLE_PLACES_API_KEY. It references a 1Password path for the key. Instructions therefore: (a) expect an external, third-party binary to be executed (not provided by the skill), and (b) implicitly require the agent/environment to hold/read an API key not declared in metadata. There are no instructions that read unrelated system files, but running an arbitrary binary is a higher-scope action than an instruction-only skill usually requires.
Install Mechanism
There is no install spec in the registry (instruction-only). The SKILL.md recommends installing a Go binary from a third‑party GitHub repo (github.com/foeken/spots). That is a legitimate distribution method for a CLI, but the skill does not provide the binary itself nor vet it — installing/executing code from an external repo carries typical supply-chain risks and should be reviewed prior to installation.
!
Credentials
The runtime instructions require a GOOGLE_PLACES_API_KEY (and implicitly access to 1Password/its path) but the skill metadata did not declare any required env vars or primary credential. Requesting a Google API key is proportionate for the described purpose, but the missing declaration and the 1Password reference are inconsistent and could lead to accidental exposure of a sensitive key if the agent/environment is configured without the user's careful review.
Persistence & Privilege
The skill does not set always:true, does not request system config paths, and has no install-time persistence declared. Autonomous invocation is allowed (platform default), but there is no extra permanent presence or modification of other skills/config reported.
What to consider before installing
This skill appears to be a wrapper around a third‑party CLI that performs grid-based queries of Google Places and therefore needs a Google Places + Geocoding API key. Before installing or running it: 1) Confirm the repository (https://github.com/foeken/spots) and review its code for any unexpected behavior (network calls, file access, telemetry). 2) Don't put your production-wide Google API key into a shared agent environment — create a key with minimal permissions and monitor usage/billing. 3) The registry metadata should have declared GOOGLE_PLACES_API_KEY; treat that omission as a red flag and avoid allowing the agent to auto-read environment secrets until the skill metadata is corrected. 4) If you use 1Password, verify how secrets are retrieved (do not give broad CLI/agent access to your vault without auditing). 5) If you want lower risk, run the CLI locally yourself (in an isolated environment) rather than giving the agent the ability to invoke the external binary automatically. If the registry is updated to explicitly declare the API key requirement and to provide an audited install or embed the vetted client code, confidence would increase.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📍 Clawdis
latestvk974xhqebksmkngqd74hgn235d7zvhr1
2.3kdownloads
1stars
2versions
Updated 2h ago
v0.2.0
MIT-0
Dreetje@foeken
latest
Download

spots

Find the hidden gems Google doesn't surface.

Binary: ~/projects/spots/spots or go install github.com/foeken/spots@latest

Usage

# Search by location name
spots "Arnhem Centrum" -r 800 -q "breakfast,brunch" --min-rating 4

# Search by coordinates (share location from Telegram)
spots -c 51.9817,5.9093 -r 500 -q "coffee"

# Get reviews for a place
spots reviews "Koffiebar FRENKIE"

# Export to map
spots "Amsterdam De Pijp" -r 600 -o map --out breakfast.html

# Setup help
spots setup

Options

FlagDescriptionDefault
-c, --coordslat,lng directly-
-r, --radiusmeters500
-q, --querysearch termsbreakfast,brunch,ontbijt,café,bakkerij
--min-rating1-5-
--min-reviewscount-
--open-nowonly openfalse
-o, --outputjson/csv/mapjson

Setup

Needs Google API key with Places API + Geocoding API enabled.

spots setup  # full instructions
export GOOGLE_PLACES_API_KEY="..."

Key stored in 1Password: op://Echo/Google API Key/credential

Source

https://github.com/foeken/spots

Comments

Loading comments...