Geospatial Osint
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent for building a geospatial OSINT dashboard, but implementations should handle live public data, optional API keys, and third-party scripts carefully.
This looks safe to install as an instruction-only skill. Before building or deploying from it, check the legality and terms for flight, maritime, satellite, and camera feeds; throttle API polling; protect API keys; and vet any generated JavaScript dependencies.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated dashboard could collect and display sensitive public-location feeds in near real time.
The skill guides users to build a dashboard that polls live OSINT-style sources, including military aircraft and public-camera feeds. This is aligned with the stated geospatial OSINT purpose, but users should keep polling bounded and respect legal/API limits.
"Military flights | ADS-B Exchange military | ~5 sec" and "CCTV | Insecam | ~1 min"
Use only lawful public sources, respect provider terms and rate limits, and avoid deploying broad monitoring dashboards without clear user intent and safeguards.
If a user embeds a real API key directly in browser code or shares it, the key could be exposed or abused.
The skill references service credentials for ADS-B data. This is expected for the integration and no real secrets or exfiltration behavior are shown, but generated apps need safe credential handling.
Get API key from account page ... Include in header: `Authorization: Bearer YOUR_API_KEY`
Keep API keys out of public client-side code where possible, use scoped keys or a backend proxy, and rotate any key that may have been exposed.
A generated dashboard may depend on externally hosted JavaScript at runtime.
The examples load Cesium from a third-party CDN. This is normal for browser-based Cesium dashboards and the version is specified, but it still means generated applications trust that external script source.
<script src="https://cesium.com/downloads/cesiumjs/releases/1.114/Build/Cesium/Cesium.js"></script>
Use trusted package sources, pin versions, consider subresource integrity or local vendoring for production, and review generated dependency choices.