Query
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: camino-query Version: 2.0.1 The skill is a legitimate wrapper for the Camino AI location intelligence API. It uses a shell script (scripts/query.sh) to safely parse JSON input and make authenticated GET requests to a hardcoded endpoint (api.getcamino.ai), with no evidence of malicious behavior or data exfiltration beyond its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the Camino API key for Camino requests, which may consume quota or paid usage if the key has billing attached.
The skill asks the user to persist an API key so the agent can authenticate to Camino; this is expected for the stated API integration but is still sensitive credential access.
authenticate via the `CAMINO_API_KEY` environment variable ... Add to your `~/.claude/settings.json`
Use a dedicated, revocable Camino API key, monitor usage, and remove it from Claude settings when no longer needed.
Place searches, coordinates, and related query details are shared with Camino AI.
The script sends the API key plus user-provided query parameters, which may include locations or coordinates, to the disclosed Camino API endpoint.
-H "X-API-Key: $CAMINO_API_KEY" ... "https://api.getcamino.ai/query?${QUERY_STRING}"Avoid submitting sensitive private locations or queries unless you are comfortable sharing them with Camino's API.
If the user follows the broad GitHub install command, they may install more code or skills than this single reviewed skill.
The installation documentation includes a user-run, unpinned GitHub repository install path and an option to install a broader companion-skill suite.
npx skills add https://github.com/barneyjm/camino-skills
Prefer the specific skill install path, review companion skills separately, and install only from sources you trust.