ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Maps Api Skill

v0.1.3

This skill helps users automatically scrape business data from Google Maps using the BrowserAct Google Maps API. Agent should proactively trigger this skill...

2· 1.4k·0 current·0 all-time
byHenk Nie@phheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, declared env var (BROWSERACT_API_KEY), and the included script all point to the same purpose: invoking BrowserAct's Google Maps workflow and returning results. The network endpoints (api.browseract.com) and the template ID in the script are consistent with the described capability.
Instruction Scope
SKILL.md instructs the agent to run the provided Python script, watch terminal logs, and retry once on non-auth failures — this stays within the scraping task. However the SKILL.md also emphasizes the agent should "proactively trigger" the skill; combined with autonomous invocation this could lead to repeated, automated scraping tasks if the agent is configured to invoke skills without tight user supervision.
!
Install Mechanism
There is no install spec, which is low-risk, but the script imports the Python 'requests' package even though only 'python' is listed as a required binary. If 'requests' is not available at runtime the script will fail. The lack of an explicit dependency declaration (e.g., pip requirement) is an operational mismatch that could cause runtime errors or encourage ad-hoc installation steps by the agent.
Credentials
The skill only requests a single, relevant environment variable (BROWSERACT_API_KEY) which is proportional to its purpose. Two minor issues: (1) the registry metadata lists 'Primary credential: none' despite requiring BROWSERACT_API_KEY, which is inconsistent; (2) the skill will send the API key to api.browseract.com (Authorization: Bearer ...), so users should ensure they trust that service and the key's scope/permissions.
Persistence & Privilege
The skill does not request persistent or privileged installation (always is false). It does not modify other skills or system config. Autonomous invocation is enabled by default but not combined with an 'always' flag or other elevated privileges.
What to consider before installing
This skill appears to do what it claims (call BrowserAct to scrape Google Maps), but take these precautions before installing: - Confirm you trust the BrowserAct service and that you want to provide it with an API key (the script will transmit your key to api.browseract.com). - Be aware the SKILL.md expects the agent to 'proactively trigger' the skill; if the agent can invoke skills autonomously, configure invocation policies or require explicit user confirmation to avoid unwanted mass scraping. - Ensure the runtime environment has the Python 'requests' package installed (the skill does not declare this dependency), or the script will fail. - Note the registry metadata omitted marking the API key as the primary credential; verify the skill's configuration in the registry/UI before granting secrets. - Consider legal and privacy implications of automated scraping for your use case (terms of service, regional laws). If you need stronger assurance, request the publisher's homepage/source provenance and an explicit dependency list before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk970vgkyg486p42vkvh4mjp4vx833n4q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis
Binspython
EnvBROWSERACT_API_KEY

Comments