v0.1.2

Google Maps Reviews Api Skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:28 AM.

Analysis

The skill transparently runs a BrowserAct workflow to retrieve Google Maps reviews; the main considerations are API key handling, external data sharing, and possible API quota/runtime use.

GuidanceThis skill appears coherent and purpose-aligned. Before installing, make sure you trust BrowserAct and the skill publisher enough to use a BrowserAct API key, avoid sending sensitive search queries, and monitor API quota or runtime for broad review-collection tasks.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

python -u ./scripts/google_maps_reviews_api.py "Keywords" "Language" "Country" ... automatically try to re-execute the script once

The agent is instructed to run a local Python command and may retry once on certain failures. This is central to the skill's purpose and bounded, but it can create additional external API usage.

User impactA requested review extraction may start an external BrowserAct task and, on failure, a second attempt, which could take time or consume quota.

RecommendationFor large or costly review-collection jobs, confirm the intended query and monitor the run; stop it if the task appears unexpected or too long-running.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none

The artifacts do not provide a source repository or homepage to verify provenance. The included code is straightforward, so this is a provenance note rather than a behavior concern.

User impactIt may be harder to independently verify who maintains the skill or whether updates come from a trusted project.

RecommendationReview the included script before use and verify the BrowserAct endpoint and publisher trust before providing an API key.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/google_maps_reviews_api.py

api_key = os.getenv("BROWSERACT_API_KEY"); headers = {"Authorization": f"Bearer {api_key}"}

The script reads a BrowserAct API key from the environment and uses it as a bearer token for BrowserAct requests. This is expected for the stated API integration, with no evidence of unrelated credential use.

User impactAnyone using the skill must provide a BrowserAct credential that could be used to run BrowserAct workflows or consume account quota.

RecommendationPrefer setting the API key as an environment variable, avoid pasting it into chat when possible, and rotate it if it is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/google_maps_reviews_api.py

API_BASE_URL = "https://api.browseract.com/v2/workflow"; {"name": "KeyWords", "value": keywords}

The skill sends the user's search keywords, language, and country to the external BrowserAct workflow API. This data flow is disclosed and purpose-aligned.

User impactSearch terms and retrieved review data are handled by BrowserAct, so private research topics or sensitive business queries may leave the local environment.

RecommendationUse the skill only for queries you are comfortable sending to BrowserAct, and review BrowserAct's data handling terms if the searches are sensitive.