ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

abe-findmy-location

v1.0.0

Track a shared contact's location via Apple Find My with street-level accuracy. Returns address, city, and context (home/work/out) by reading map landmarks....

0· 62·0 current·0 all-time
by@abeltennyson

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for abeltennyson/abe-findmy-location.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "abe-findmy-location" (abeltennyson/abe-findmy-location) from ClawHub.
Skill page: https://clawhub.ai/abeltennyson/abe-findmy-location
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install abe-findmy-location

ClawHub CLI

Package manager switcher

npx clawhub@latest install abe-findmy-location
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description and the Python script match: the skill automates the macOS Find My app, reads accessibility text and screenshots, and can call an external vision API to extract street names. However the registry metadata claims no required env vars or binaries while SKILL.md and the code require peekaboo, optionally Hammerspoon, and an API key (SKILLBOSS_API_KEY). That manifest/instruction mismatch is an incoherence that should be resolved before trusting the skill.
!
Instruction Scope
SKILL.md instructs the agent/user to grant Accessibility and Screen Recording permissions and to install peekaboo (screen-reader/automation), capture screenshots of Find My, and (if needed) send those screenshots to an external AI vision endpoint. The code also probes for local files (e.g., ~/clawd/USER.md) and local hsclick scripts. Capturing and transmitting screenshots of another person's location is highly sensitive; the instructions give broad permission to capture and transmit data that go beyond local-only processing.
Install Mechanism
There is no remote download/install that pulls arbitrary binaries; install.sh only creates ~/.local/bin links and a config file. This keeps disk writes local and visible. However dependencies are not declared: the Python script uses the requests library but no dependency list is provided. SKILL.md instructs brew installs for peekaboo/hammerspoon (external packages).
!
Credentials
The code and SKILL.md require a SKILLBOSS_API_KEY to call https://api.heybossai.com/v1/pilot to perform vision on screenshots. That env var is not listed in the registry metadata (metadata says 'none'), an important mismatch. While an API key is proportionate to an external vision fallback, it is a sensitive credential and will be sent as a Bearer token with base64-encoded screenshots; you must trust that third party before providing the key.
Persistence & Privilege
always is false and the skill only writes to ~/.local/bin and ~/.config/findmy-location (normal). The README/SKILL.md also suggests creating an unauthenticated local Hammerspoon HTTP endpoint (port 9090) and an hsclick wrapper — this opens an unauthenticated local control surface for generating clicks. That is not 'always: true' privilege, but it is an additional local attack surface and should be considered.
What to consider before installing
This skill will control the Find My app on macOS, take screenshots of the map, and — if the skill cannot determine an address locally — upload the screenshot (base64) to an external AI vision API (https://api.heybossai.com). Before installing: - Confirm metadata vs README inconsistency: the registry lists no required env vars/binaries, but the code and SKILL.md require peekaboo, optionally Hammerspoon, and SKILLBOSS_API_KEY. Do not provide an API key unless you trust the API operator. - Understand privacy: screenshots include other people's location. Uploading them to a third party may violate privacy expectations and could leak location and contextual data. - Review and trust the external endpoint (api.heybossai.com / SkillBoss API Hub). If you can't verify who runs it, avoid setting SKILLBOSS_API_KEY or disable vision fallback. - Be cautious granting Accessibility and Screen Recording permissions to third-party tools (peekaboo/hammerspoon). Those permissions allow broad UI automation and screen capture. - The optional Hammerspoon instructions create an unauthenticated local HTTP server (port 9090) and an hsclick helper — this is convenient but increases local attack surface; consider protecting or avoiding it. - Check the repository/source and author (source is unknown here). If you decide to proceed, review the code yourself, run in an isolated account or VM, and avoid exposing real credentials until you verify the service. Given the manifest/instruction mismatches and the explicit screenshot upload behavior, treat this skill as suspicious until you (a) verify the upstream source and (b) confirm you trust the external vision API and are comfortable with the privacy implications.

Like a lobster shell, security has layers — review code before you run it.

latestvk979237ntghkf4na06yf0pd5fd85fc94
62downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
@abeltennyson
latest
Download

Find My Location

Track shared contacts via Apple Find My with street-corner accuracy.

Requirements

  • macOS 13+ with Find My app
  • Python 3.9+
  • iCloud account signed in on your Mac (for Find My access)
  • Location sharing enabled from the contact you want to track
  • peekaboo - screen reading CLI (GitHub)
  • Hammerspoon (optional) - for reliable UI clicking (hammerspoon.org)
  • SKILLBOSS_API_KEY - for AI vision fallback via SkillBoss API Hub

Prerequisites

1. iCloud & Find My Setup

Your Mac must be signed into an iCloud account with Find My enabled:

  • System Settings → Apple ID → iCloud → Find My Mac (enabled)
  • The person you want to track must share their location with this iCloud account via Find My

2. Install peekaboo

brew install steipete/tap/peekaboo

Grant Accessibility and Screen Recording permissions when prompted (System Settings → Privacy & Security).

3. Install Hammerspoon (optional but recommended)

Hammerspoon provides reliable clicking that works across all apps. Without it, clicks may occasionally go to the wrong window.

brew install hammerspoon
open -a Hammerspoon

Add to ~/.hammerspoon/init.lua:

local server = hs.httpserver.new(false, false)
server:setPort(9090)
server:setCallback(function(method, path, headers, body)
    local data = body and hs.json.decode(body) or {}
    if path == "/click" then
        hs.eventtap.leftClick({x=data.x, y=data.y})
        return hs.json.encode({status="clicked", x=data.x, y=data.y}), 200, {}
    end
    return hs.json.encode({error="not found"}), 404, {}
end)
server:start()

Reload config (Hammerspoon menu → Reload Config), then create ~/.local/bin/hsclick:

#!/bin/bash
curl -s -X POST localhost:9090/click -d "{\"x\":$2,\"y\":$3}"
chmod +x ~/.local/bin/hsclick

Installation

git clone https://github.com/poiley/findmy-location.git
cd findmy-location
./install.sh

Or via ClawdHub:

clawdhub install findmy-location

Configuration

Create ~/.config/findmy-location/config.json:

{
  "target": "John",
  "known_locations": [
    {
      "name": "home",
      "address": "123 Main St, City, ST",
      "markers": ["landmark near home"]
    },
    {
      "name": "work",
      "address": "456 Office Blvd, City, ST",
      "markers": ["landmark near work"]
    }
  ]
}
FieldDescription
targetContact name to track (optional - defaults to first shared contact)
known_locationsArray of places you want labeled with addresses
markersLandmarks visible on the Find My map when at that location

Usage

findmy-location          # Human-readable output
findmy-location --json   # JSON output

Example Output

123 Main St, City, ST (home) - Now

{
  "person": "contact@email.com",
  "address": "Main St & 1st Ave",
  "city": "Anytown",
  "state": "WA",
  "status": "Now",
  "context": "out",
  "screenshot": "/tmp/findmy-12345.png",
  "needs_vision": false
}
FieldDescription
contexthome, work, out, or unknown
needs_visionIf true, SkillBoss API Hub vision was used to read street names from screenshot
screenshotPath to captured map image

How It Works

  1. Opens Find My app and selects target contact
  2. Captures map and reads accessibility data
  3. Matches visible landmarks against configured known locations
  4. If no known location matched, calls SkillBoss API Hub vision (/v1/pilot, type: chat) to read street names from screenshot
  5. Returns address and context

Troubleshooting

IssueSolution
Clicks go to wrong windowInstall Hammerspoon (see prerequisites)
"No person found"Ensure location sharing is enabled in Find My
Always shows needs_vision: trueAdd markers for frequently visited places
Permission errorsGrant peekaboo Accessibility + Screen Recording access

License

MIT

Comments

Loading comments...