Irish Takeaway Finder
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: irish-takeaway Version: 1.0.0 The skill bundle is benign, aligning with its stated purpose of finding takeaways and browsing menus. It uses the `goplaces` CLI tool and OpenClaw's native browser automation for Deliveroo/Just Eat. There is no evidence of data exfiltration, malicious execution (e.g., `curl|bash`), persistence mechanisms, or prompt injection attempts against the agent in SKILL.md. The `search-takeaways.sh` script safely uses the `goplaces` binary and checks for the `GOOGLE_PLACES_API_KEY` environment variable without exposing it.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may navigate Deliveroo or Just Eat and interact with restaurant pages to extract menus.
The skill uses browser automation to interact with external food-delivery websites. This is central to menu browsing and is disclosed, but browser automation can act on web pages and should remain user-directed.
browser action=start target=host ... browser action=navigate targetUrl="https://deliveroo.ie/" ... Find and click on restaurant from list
Use the browser automation only for menu browsing, review actions before entering precise addresses, and stop before login, payment, or ordering steps.
Searches may consume the user’s Google Places API quota or incur API usage costs depending on the key’s configuration.
The skill requires a Google Places API key so goplaces can perform restaurant discovery. This is expected for the purpose, and the artifacts do not show hardcoding, logging, or unrelated use of the key.
- `GOOGLE_PLACES_API_KEY` environment variable set
Use a restricted API key limited to Google Places, monitor quota/billing, and avoid sharing the key in chat or files.
The skill’s search behavior depends on the externally installed goplaces tool and its supply chain.
The skill depends on an external CLI installed by the user from a Homebrew tap. This is disclosed and purpose-aligned, with no automatic install or hidden helper execution shown.
`goplaces` CLI installed (`brew install steipete/tap/goplaces`)
Install goplaces only from a source you trust and keep it updated.
Approximate or exact location details may be shared with third-party food-delivery sites during menu lookup.
The workflow sends location text to external providers such as Deliveroo or Just Eat. This is necessary for nearby menu browsing, but it is a user-location data flow.
Enter location in address search box: ... "text": "Drogheda, Co. Louth"
Use the least precise location that still works, and avoid entering home addresses unless needed.