ClawHub
Back to skill
v0.1.0

Geospacial relationship between two locations

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:46 AM.

Analysis

The skill is coherent for location relationship calculations, but it sends provided coordinates to Camino's API using a Camino API key and includes optional broad install guidance for related skills.

GuidanceThis appears safe for its stated purpose. Before installing, decide whether you only need this single relationship skill or the broader Camino suite, and only provide location pairs and an API key you are comfortable sending to Camino's API.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
Companion Skills: This is part of the Camino AI location intelligence suite. Install all available skills ... npx skills add https://github.com/barneyjm/camino-skills

The documentation recommends a user-directed install of many companion skills from a GitHub repository, which is broader than this relationship skill. It is disclosed and optional, but users should review what else they are installing.

User impactInstalling the full suite could add additional agent behaviors beyond calculating relationships between two points.
RecommendationInstall only the specific relationship skill unless you intentionally want the full Camino suite, and review the source/repository before adding extra skills.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/relationship.sh
-H "X-API-Key: $CAMINO_API_KEY"

The script uses the CAMINO_API_KEY credential to call the Camino API. This is expected for the service and no unrelated credential use is shown.

User impactAnyone with access to this environment variable may be able to use the associated Camino API quota or account access.
RecommendationStore the key securely, avoid sharing logs or settings files containing it, and rotate the key if it is exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/relationship.sh
-d "$INPUT" \
    "https://api.getcamino.ai/relationship"

The provided start/end coordinates and options are sent to an external Camino API endpoint. This is purpose-aligned, but location pairs can be sensitive.

User impactLocation data entered into the skill is transmitted to Camino's service for processing.
RecommendationDo not submit sensitive personal locations unless you are comfortable with Camino processing them; review the provider's privacy and retention terms if needed.