Google Maps
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Google Maps integration mostly matches its purpose, but its place-search code can expose your Google API key in returned photo URLs.
Before installing, make sure your Google Maps API key is restricted by API, referrer/IP where possible, and quota. Avoid using the place search/photo output until the skill is patched so it no longer prints the API key inside returned URLs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Google Maps API key could appear in chat output, logs, or shared transcripts, and could be abused for quota or billing if exposed.
The search result returned to the user/agent embeds the environment API key directly into a URL.
place["photo_url"] = f"https://maps.googleapis.com/maps/api/place/photo?maxwidth=400&photoreference={photo_ref}&key={self.api_key}"Do not return API keys in output URLs. Patch the skill to omit photo_url, fetch photos through a controlled helper without printing the key, or use a tightly restricted/regenerated Google Maps key.
The agent can run the helper to make Google Maps requests using locations or addresses you provide.
The skill grants command execution so the agent can run the included Python helper, which is central to the documented maps workflow.
allowed-tools: [exec] ... python3 skills/google-maps/lib/map_helper.py <action> [options]
Keep use limited to the documented helper actions and review commands if the agent proposes anything outside the documented map operations.
Locations and route queries you ask about will be shared with Google, which is expected for this integration but still privacy-relevant.
User-provided addresses, coordinates, and place queries are sent to Google Maps APIs with the configured API key.
params = {"address": address, "key": self.api_key, "language": language}; res = requests.get(url, params=params).json()Use the skill only for locations you are comfortable sending to Google, and apply Google Cloud API restrictions and quotas to the key.