ClawHub

IsItWater

v1.0.0

Check if geographic coordinates are over water or land using the IsItWater API.

3· 1.4k·0 current·0 all-time
by@johnnagro
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name, description, and runtime instructions all focus on calling the IsItWater REST API and consistently reference ISITWATER_API_KEY as the credential. This is coherent for the stated purpose. Minor metadata inconsistency: the registry block lists "Required env vars: none" while the skill declares ISITWATER_API_KEY as its primary credential (primaryEnv).
Instruction Scope
SKILL.md stays within scope for the most part (check API key, call /v1/locations/water, optionally call /v1/accounts/me). It instructs the agent to offer to help sign up using a browser tool (navigate to isitwater.com and create an account) and to edit ~/.openclaw/openclaw.json to store the key. It also tells the agent to geocode place names before lookup but does not specify a geocoding provider — the agent could choose any method/tool to geocode, which is a functional gap (not necessarily malicious). The instructions will cause the agent to send user coordinates to an external service (IsItWater) — users should be aware of privacy/billing implications.
Install Mechanism
No install spec and no code files (instruction-only). This is the lowest-risk install model: nothing written or executed by the skill itself during installation.
Credentials
The skill requests a single API credential (ISITWATER_API_KEY), which is proportional to the service. It suggests two storage options: exporting an environment variable or writing the key into ~/.openclaw/openclaw.json under skills.entries.isitwater.apiKey. Storing API keys in a local JSON config is common but means the key will be on-disk in cleartext and accessible to local processes — users should prefer an env var or other secure secret storage if available.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistence. It is user-invocable and allows normal autonomous invocation (platform default), which is expected for a skills integration.
Assessment
This skill is coherent and appears to do exactly what it says: check coordinates against the IsItWater API. Before installing, consider the following: (1) The skill will send supplied coordinates to an external API — avoid sending sensitive/private locations if you care about privacy. (2) You must provide ISITWATER_API_KEY; prefer exporting it as an environment variable rather than storing it in ~/.openclaw/openclaw.json if you want to avoid plaintext storage. (3) SKILL.md suggests using a browser tool to sign up for the service — be cautious if you allow any automated browser interaction and do not let the agent autofill unrelated credentials. (4) The skill mentions geocoding place names but does not specify which geocoding service will be used; if you need geocoding, confirm which provider the agent will call (and whether it requires additional credentials). (5) The registry lists "Source: unknown" while README references a GitHub repo; if provenance matters, inspect the repository and confirm the publisher before installing. If these points are acceptable, the skill is reasonable to install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97120xegn4g2bcd3cbfmc7xb580mfms

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌊 Clawdis
Primary envISITWATER_API_KEY

Comments