ClawHub

spots

ReviewAudited by ClawScan on May 1, 2026.

Overview

The skill is coherent with its Google Places search purpose, but users should verify the external CLI install and use a restricted Google API key.

Before installing, verify the GitHub CLI source and consider pinning a version. Use a restricted Google API key with Places and Geocoding only, set quotas or billing alerts, and avoid exporting the key outside intentional use of this tool.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing from '@latest' means the code fetched later could differ from what the user expected.

Why it was flagged

The skill relies on an external CLI install using an unpinned '@latest' source. This is aligned with the CLI-based purpose, but users should verify the repository and version before running it.

Skill content
Binary: `~/projects/spots/spots` or `go install github.com/foeken/spots@latest`
Recommendation

Install from a trusted repository, review the project if possible, and pin a known version or commit when practical.

Medium
#ASI03: Identity and Privilege Abuse
What this means

The CLI may use the Google API key to make Places and Geocoding requests, which can consume quota or incur charges.

Why it was flagged

The skill requires a Google API key and references a 1Password secret location. This credential is expected for Google Places access, but it is sensitive and can affect billing or quota.

Skill content
Needs Google API key with Places API + Geocoding API enabled.

export GOOGLE_PLACES_API_KEY="..."

Key stored in 1Password: `op://Echo/Google API Key/credential`
Recommendation

Use a restricted Google API key limited to the required APIs, set quotas/billing alerts, and only expose the key to the CLI when intentionally using the skill.

Low
#ASI02: Tool Misuse and Exploitation
What this means

Broad searches may take time and consume Google API quota or paid usage.

Why it was flagged

The stated grid-based exhaustive search behavior is central to the skill, but it implies potentially many API calls depending on radius and query settings.

Skill content
Exhaustive Google Places search using grid-based scanning. Finds ALL places, not just what Google surfaces.
Recommendation

Start with small radii and specific queries, then expand deliberately while monitoring API usage.