Back to skill
Skillv1.0.0
ClawScan security
Geocode Lookup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 3:43 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's claims (forward/reverse geocoding and distance calculations) match its simple instruction-only implementation; it calls a single external API and requests no credentials or installs.
- Guidance
- This skill is internally consistent and lightweight, but it sends addresses/coordinates to an external service (https://geocode.agentutil.net). Before installing, verify you trust that domain and its privacy claims, avoid sending private or sensitive addresses, and be cautious if the skill later asks to perform or authorize payments (it mentions a paid tier via a crypto protocol but does not currently request credentials). If you need guaranteed privacy, consider a trusted provider or an offline/local geocoding implementation.
Review Dimensions
- Purpose & Capability
- okThe name/description match the SKILL.md: all runtime instructions are about sending addresses/coordinates to an external geocoding API and computing distances. No unrelated binaries, env vars, or installs are requested.
- Instruction Scope
- noteThe instructions explicitly send user-supplied addresses/coords to https://geocode.agentutil.net via POST requests — this is expected for a geocoding skill. The SKILL.md includes a privacy warning not to send private addresses. Because it transmits user data to an external service, users should be aware of network exposure and the operator's privacy claims.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk or installed. Low install risk.
- Credentials
- noteThe skill declares no required environment variables or credentials, which is proportional to a free-tier geocoding API. It mentions a paid tier using an 'x402 protocol (USDC on Base)' but provides no instructions to perform payments or require wallet credentials; users should be cautious if later asked to provide private keys or authorize payments.
- Persistence & Privilege
- okalways:false and no requests to modify agent or system configuration. The skill does not request persistent privileges or access to other skills' settings.