Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Multi Source Locate
v1.2.1Multi-source geolocation via GPS, System built-in, IP, WiFi, and cellular triangulation. Use when the user asks to determine their location, locate a device,...
⭐ 0· 81·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included code: scripts for GPS (NMEA/gpsd/serial), system location (Windows/macOS/GeoClue2), Wi‑Fi scanning, cellular tower extraction, IP geolocation, and triangulation. The requested system access (serial ports, modem tools, OS location APIs, network calls) is consistent with the stated purpose.
Instruction Scope
SKILL.md instructs running scripts/locate.py which in turn runs many system commands and device accesses (PowerShell, dbus, mmcli, netsh, iwlist/airport, serial ports, gpsd, etc.) and transmits BSSID/cell/id data to external geolocation APIs. That behavior is expected for this functionality but is privacy‑sensitive: the instructions do not explicitly require an interactive user consent step prior to scanning hardware or sending identifiers to remote services.
Install Mechanism
There is no external installer/download step. This is an instruction+script bundle (no remote install URLs), so nothing is fetched from untrusted servers at install time. The included code itself executes subprocesses and network calls at runtime (expected for its purpose).
Credentials
The skill declares no required credentials but documents optional API keys (Google/MLS/Unwired, and ipinfo/ipgeolocation env vars used by code). These optional keys are proportional to the functionality and are not unexpected. Note: the code will access local hardware (serial ports, Wi‑Fi interfaces, modem manager) and collect identifiers (BSSID/MAC, cell IDs) which are sensitive.
Persistence & Privilege
No 'always' privilege is requested and no global agent configuration changes are apparent. The skill does not request persistent platform-level inclusion; it runs only when invoked.
Assessment
This skill appears to be what it says: a multi-source geolocation engine. Before installing or running it, consider the following:
- Privacy: it will scan local hardware (Wi‑Fi adapters, serial ports, cellular modems) and collect identifiers (BSSID/MAC, LAC/CID). Those identifiers may be sent to third‑party geolocation APIs. Only run on devices and networks where you’re comfortable sharing that data.
- Consent: ensure users understand the tool will access location hardware and may call external services; expect OS prompts for location access on Windows/macOS/Linux.
- Review & harden code: the included code invokes PowerShell with ExecutionPolicy Bypass via a temporary .ps1 file and runs many subprocesses; review those calls. One function creates an SSL context with verify_mode = CERT_NONE (disables TLS verification) — consider enabling proper TLS verification to prevent man‑in‑the‑middle risk.
- API keys: supply API keys only to services you trust; unset or omit keys to limit traffic to free/public services. Be aware which env var names the code checks (IPGEOLOCATION_API_KEY, IPINFO_API_KEY, GOOGLE_GEOLOCATION_API_KEY, UNWIRED_API_KEY, MLS_API_KEY).
- Run in a controlled environment first: test on a non‑production machine to observe behavior, network requests, and device access. If desired, sandbox or block network access except to trusted endpoints.
If you want, I can point to the exact lines where PowerShell is launched, where TLS verification is disabled, and where BSSID/cell data is packaged for external APIs so you or an auditor can review or modify them.Like a lobster shell, security has layers — review code before you run it.
latestvk979c0ybta4kj4a5vzzj63ggr984nce2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.