Google Maps Grounding MCP
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Google Maps MCP connector, but users should notice that it installs mcporter, stores/uses a Google Maps API key, and sends location-related queries to Google’s MCP service.
This skill appears purpose-aligned and not suspicious from the provided artifacts. Before installing, verify the mcporter npm package, use a restricted Google Maps API key, and be mindful that location searches, addresses, and route details can be sent to Google’s MCP service.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Google Maps API key will be used for requests made through this MCP configuration.
The skill requires a Google Maps API key and passes it as an API header to the Google Maps MCP endpoint. This is expected for the stated purpose, but it is still credentialed access that can affect quota or billing.
Set env: `export GOOGLE_MAPS_API_KEY="YOUR_KEY"` ... `--header "X-Goog-Api-Key=$GOOGLE_MAPS_API_KEY"`
Use a restricted API key where possible, monitor quotas/billing, and remove or rotate the key if you no longer use the skill.
Installing the skill may install whatever version of mcporter is resolved by npm at install time.
The skill relies on installing the external npm package `mcporter`. This is central to the skill’s stated MCP purpose, but the provided install specification does not pin a version.
node | package: mcporter | creates binaries: mcporter
Confirm the mcporter package source and version before installing, especially in sensitive environments.
Searches, addresses, coordinates, origins, destinations, and weather locations may be sent to Google’s MCP service when the tool is used.
The skill configures a remote MCP endpoint and sends place, weather, and route queries to that provider. This is disclosed and purpose-aligned, but location and route details can be sensitive.
`--url https://mapstools.googleapis.com/mcp` ... `search_places`, `lookup_weather`, `compute_routes`
Avoid sending sensitive location details unless you are comfortable sharing them with the configured Google Maps service.
The MCP connection may remain configured after setup rather than being temporary for one command.
The setup creates a named mcporter configuration with a system-scoped flag. The artifacts do not show hidden background activity, but the configuration is persistent until changed or removed.
`mcporter config add grounding-lite ... --system`
Review where mcporter stores this configuration and remove the `grounding-lite` entry when it is no longer needed.