Google Maps
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: google-maps Version: 3.2.0 The google-maps skill bundle is a legitimate integration for Google Maps using the modern Routes API. The code in lib/map_helper.py correctly handles API requests to official Google endpoints (maps.googleapis.com and routes.googleapis.com) and requires a standard GOOGLE_API_KEY. There is no evidence of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Google Maps API key could appear in chat output, logs, or shared transcripts, and could be abused for quota or billing if exposed.
The search result returned to the user/agent embeds the environment API key directly into a URL.
place["photo_url"] = f"https://maps.googleapis.com/maps/api/place/photo?maxwidth=400&photoreference={photo_ref}&key={self.api_key}"Do not return API keys in output URLs. Patch the skill to omit photo_url, fetch photos through a controlled helper without printing the key, or use a tightly restricted/regenerated Google Maps key.
The agent can run the helper to make Google Maps requests using locations or addresses you provide.
The skill grants command execution so the agent can run the included Python helper, which is central to the documented maps workflow.
allowed-tools: [exec] ... python3 skills/google-maps/lib/map_helper.py <action> [options]
Keep use limited to the documented helper actions and review commands if the agent proposes anything outside the documented map operations.
Locations and route queries you ask about will be shared with Google, which is expected for this integration but still privacy-relevant.
User-provided addresses, coordinates, and place queries are sent to Google Maps APIs with the configured API key.
params = {"address": address, "key": self.api_key, "language": language}; res = requests.get(url, params=params).json()Use the skill only for locations you are comfortable sending to Google, and apply Google Cloud API restrictions and quotas to the key.