Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Auto Repair
v0.1.0Find nearby auto repair. Invoke when user asks for car repair near me.
⭐ 0· 90·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with functionality (nearby auto repair). However, the SKILL.md does not specify any data provider or API (e.g., Google/Here/Mapbox) or declare credentials that would commonly be needed to query POI data. That omission makes it unclear how the skill expects to obtain results — either it relies on an implicit platform capability (not documented) or it will try to call external services without declaring necessary keys.
Instruction Scope
The instructions reference STANDARD_RESPONSE.md via a local file URI (file:///Users/mac_lkm/...), which points to a developer-local path. This could cause the agent to attempt to access the host filesystem for that file (privacy / reliability concern). The SKILL.md also lacks concrete guidance on which external endpoints to call or what network calls are expected, so the agent may take broad discretion to fetch POI data from unspecified sources.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low-risk from an installation/execution perspective because nothing is written to disk by the skill package itself.
Credentials
No environment variables or credentials are requested — good for limiting scope — but this is also odd for a POI-search skill which typically requires API keys or service credentials. The lack of declared credentials is either an intentional design that uses platform-provided location/lookup services, or an omission that could lead the agent to attempt network calls without declared secrets.
Persistence & Privilege
Skill is not always-enabled and is user-invocable; it does not request elevated persistence or modify other skill/system configs. This is appropriate for the described functionality.
What to consider before installing
Before installing, ask the skill author to clarify two things: (1) Which data source(s) will the skill use to find POIs, and what credentials (API keys) are required? Those credentials should be declared explicitly in requires.env if needed. (2) Replace or remove the file:///Users/... link to STANDARD_RESPONSE.md — that points to a developer's local path and may prompt the agent to try reading files on the host. Confirm how the skill will access the response schema (embed it in the skill or point to a public URL). Also confirm the exact location-handling policy (how long precise coordinates are kept, how they are blurred), and refuse to install if the skill intends to read arbitrary local files or call external services without declaring required credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk976zr5aa3f5genmbdjj0bxyz183f89k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.