ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Maps Skill

v1.0.0

通过脚本直连 Google Maps Platform API 完成地理编码、逆地理编码、路线规划、地点搜索、地点详情、海拔查询和时区查询。用户要求"Google Maps 查询""国际路线规划""地点搜索"或需要用命令行脚本调用 Google Maps API 时使用。

0· 357·1 current·1 all-time
byRainman@deusyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and SKILL.md implement a Google Maps CLI calling official Google Maps endpoints (geocode, reverse-geocode, directions, places, elevation, timezone). Those capabilities align with the skill name and description. However the registry metadata lists no required environment variables or binaries even though the CLI requires a GOOGLE_MAPS_API_KEY and is executed with 'bun' — the metadata omission is inconsistent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to set GOOGLE_MAPS_API_KEY and run 'bun scripts/gmaps.ts'. The runtime instructions and the code limit behavior to building requests to Google Maps Platform endpoints and returning raw Google JSON. The skill does not attempt to read unrelated files, other env vars, or contact non-Google endpoints.
Install Mechanism
No install spec is provided (instruction-only install), and the repository contains the CLI source. There are no downloads, external install URLs, or archive extraction steps in the manifest — low install risk.
!
Credentials
The runtime and tests require one secret: GOOGLE_MAPS_API_KEY (used as either a query param or X-Goog-Api-Key header depending on API). The registry metadata incorrectly lists no required env vars and no primary credential. The absence of a declared primary credential and the failure to document the required API key in the registry is a material inconsistency that could lead to accidental key exposure or misuse if users assume no credential is required.
Persistence & Privilege
The skill does not request permanent or global agent privileges (always: false), does not modify other skills or system settings, and does not persist credentials itself. Autonomous invocation is allowed by default but is not combined with other high-risk privileges.
What to consider before installing
This package implements a straightforward Google Maps CLI and will make network requests directly to Google Maps Platform endpoints using your API key. Before installing: 1) Be aware the code expects the environment variable GOOGLE_MAPS_API_KEY (the registry metadata incorrectly omits this); ensure you supply a restricted API key (restrict by API, referrer/IP, and billing limits). 2) The CLI is executed with 'bun' (scripts/gmaps.ts) — you need Bun installed; the registry also omits this runtime requirement. 3) The skill sends your queries to Google (as ?key=... for legacy endpoints or X-Goog-Api-Key header for newer APIs) and prints raw Google JSON to stdout — monitor key usage and billing. 4) The omission of required env/binary declarations looks like sloppy packaging rather than malicious intent, but treat the API key as sensitive and only install if you accept that the skill will use your key to call Google Maps APIs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97388tvjzt755bfg4ks90a57d82tndb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments