geocode

PassAudited by VirusTotal on May 11, 2026.

Overview

Type: OpenClaw Skill Name: geocode Version: 1.0.4 The geocode skill is a legitimate utility for reverse geocoding coordinates using the geocode.com.cn API. The bash script (scripts/geocode.sh) includes proper input validation for latitude and longitude using regex, uses safe argument passing for curl to prevent injection, and follows standard configuration patterns via environment variables. No evidence of data exfiltration, malicious execution, or prompt injection was found.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI07: Insecure Inter-Agent Communication

What this means

The geocoding provider can see the coordinates being looked up and the configured User-Agent.

Why it was flagged

The script sends the supplied latitude and longitude to the configured geocoding provider. This is disclosed and necessary for the skill, but it is still an external data flow involving location data.

Skill content

base_url="${GEOCODE_BASE_URL:-https://geocode.com.cn}" ... --data "lat=$latitude" ... --data "lon=$longitude"

Recommendation

Use this skill only for coordinates you are comfortable sending to the configured provider; use a trusted self-hosted endpoint via GEOCODE_BASE_URL for sensitive locations.