Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
cafes
v0.1.0Find nearby cafes. Invoke when user asks for coffee near me.
⭐ 0· 125·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description, inputs (lat/lng, radius, filters) and outputs align with a 'nearby cafes' skill. However, the SKILL.md does not declare or describe any data provider (e.g., Google/Foursquare/OpenStreetMap) or required API keys; it also references a local file:// path (STANDARD_RESPONSE.md) that is not bundled with the skill. The lack of a declared provider/credentials is unexpected but could be legitimate if the platform supplies POI data — the skill should say which.
Instruction Scope
Instructions stay within the stated purpose (collect location input, apply radius/filters, return POI list, apply privacy blurring). They explicitly require user authorization for location. Concern: instructions are vague about how/where queries are performed and what network endpoints will be contacted, and they reference an external local file path for the standard response schema that isn't part of the skill bundle.
Install Mechanism
No install spec and no code files (instruction-only). This is low-risk from an installation perspective since nothing is written to disk by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is consistent with the absence of a provider. However, if the implementation must call an external POI API in practice, it would normally need provider credentials; their absence is a gap that should be explained.
Persistence & Privilege
always is false and there are no install-time or config-write behaviors described. The skill does not request persistent privileges or cross-skill configuration changes.
What to consider before installing
This skill appears to do what it says, but it omits key operational details. Before installing or enabling it: 1) ask the author which data provider(s) it queries (Google, Foursquare, OSM, internal index) and whether any API keys are required; 2) verify the STANDARD_RESPONSE.md schema referenced by the skill (the SKILL.md points to a local file:// path that was not included); 3) confirm how precise location data is handled, stored, or logged—ensure the blur/grid guidance is actually implemented and that precise coordinates are not retained or exfiltrated; 4) if the skill will call external APIs, request a list of endpoints and whether any credentials will be sent; and 5) if you cannot obtain those answers, treat the skill cautiously (do not provide precise location data) or decline to install. Additional evidence that would reduce concerns: included STANDARD_RESPONSE.md, explicit provider + endpoint details, or an implementation that uses only built-in platform POI services without needing extra credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk977tsppnakk0xx688v7g6xs7h837gpe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.