Location Service
ReviewAudited by ClawScan on May 15, 2026.
Overview
This location skill mostly matches its purpose, but its Google Maps short-link resolver can be tricked into making network requests outside Google Maps.
Review before installing. It appears intended for normal location lookup tasks, but avoid feeding it untrusted Google Maps short links until URL validation is tightened, and only use location data you are comfortable sharing with external map/geocoding services.
Publisher note
This skill needs network access to query Nominatim for geocoding, resolve Google Maps URLs, and retrieve weather data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent processes an untrusted link, it could be induced to make unintended network requests from the user's environment.
The URL check is only a prefix/substring-style validation and allows http. Because resolve_short_url opens the original user-supplied URL, a crafted Google-looking URL could make the agent contact a non-Google, localhost, or private-network host.
re.match(r'https?://(maps\.google\.com|www\.google\.com/maps|maps\.app\.goo\.gl)', text.strip()) ... if 'maps.app.goo.gl' in url: url = resolve_short_url(url) ... urllib.request.urlopen(req, timeout=10)
Parse URLs with a URL parser, require https, require the exact hostname maps.app.goo.gl before fetching, reject userinfo or deceptive hostnames, block localhost/private IP destinations, and validate the final redirect target before using it.
Addresses, place names, or coordinates you provide may be shared with external mapping services.
Forward geocoding sends the user's address/place query to the external Nominatim service; reverse geocoding similarly sends coordinates. This is disclosed and central to the skill, but location data can be sensitive.
url = "https://nominatim.openstreetmap.org/search" ... params = { 'format': 'json', 'q': address, 'limit': 1 } ... requests.get(url, params=params, headers=headers, timeout=10)Use the skill only with locations you are comfortable sending to OpenStreetMap/Nominatim or resolving through Google Maps link infrastructure.
Some advertised resources or setup expectations may not match what is actually installed, which can cause confusion or failed functionality.
SKILL.md references helper files that are not present in the manifest; the actual code has inline Google Maps parsing and only a weather stub. This indicates stale or incomplete packaging documentation rather than hidden code.
- `weather_integration.py` - Helper for getting weather data ... - **`parse_google_maps_url.py`** - **[NEW] Extract lat/lon from a Google Maps URL**
Clarify the package manifest, remove stale file references, and declare Python/runtime dependencies such as requests if the scripts are meant to be executed.