ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CoreLocationCLI

v1.0.0

Get the physical location of your macOS device and print it to stdout.

0· 76·0 current·0 all-time
by@jerrykfc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to run a CoreLocation-backed CLI on macOS, which is coherent. However the registry requires the 'swift' binary even though the SKILL.md shows usage of a prebuilt CLI (CoreLocationCLI) and provides no build instructions. Requiring 'swift' is disproportionate unless the agent is expected to compile the tool from source (no source or build steps are provided). The registry's top-level OS restriction is 'none' while the SKILL.md metadata states 'os: macOS' — minor inconsistency.
Instruction Scope
SKILL.md instructs only how to run the CLI and how to install it via Homebrew; it does not ask the agent to read unrelated files or credentials. However the action itself is privacy-sensitive (device geolocation) and will require macOS location permissions and Gatekeeper approval. The instructions do not explain where the CLI binary comes from or what code will run when invoked.
!
Install Mechanism
There is no formal install spec (instruction-only), which is lower risk for automatic installs, but the manual Installation line is ambiguous/malformed ('brew install cask corelocationcli' is not a standard brew command). Because no source, homepage, or release URL is provided, there's no provenance for the binary the user is asked to run. That missing provenance increases risk if the user chooses to install a third-party cask.
Credentials
The skill declares no environment variables, credentials, or config paths. That's proportionate for a CLI that prints local location. The primary risk here is privacy (location), not credential access.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges in the registry metadata. It does not attempt to modify other skills or system config in the provided instructions.
What to consider before installing
This skill will access your Mac's location (a privacy-sensitive operation). Before installing or running it: 1) Confirm the binary's provenance — prefer an official homepage, GitHub repo, or a verified Homebrew cask. 2) Don't run unfamiliar install commands; the SKILL.md's 'brew install cask corelocationcli' looks incorrect — correct invocation would usually be 'brew install --cask <name>' or 'brew install <formula>'. 3) After installing, inspect the binary (which CoreLocationCLI; codesign -dv --verbose=4 /path/to/CoreLocationCLI) and review its source if available. 4) Be prepared to deny macOS location permission if you don't trust the binary. 5) If you need strong assurance, request the skill author/source info (homepage or repository) or prefer a version from a well-known package repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f9qwhfs1tavc6092qqcf42d83h5y5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📍 Clawdis
Binsswift

Comments