ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nearby Bubble Tea Shops

v0.1.0

Find nearby bubble tea shops. Invoke when user asks for boba near me.

0· 70·0 current·0 all-time
by@mikeclaw007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the content: the skill is explicitly for finding nearby bubble tea shops and lists expected inputs/outputs. However, it does not declare or document any data provider or API (e.g., Google Maps, Foursquare) nor does it include the referenced STANDARD_RESPONSE.md schema, leaving a gap between the claimed purpose and the concrete capabilities required to fulfill it.
!
Instruction Scope
The SKILL.md prescribes inputs, filters, and privacy guidance but is otherwise open-ended about how to obtain POI data. That vagueness grants the agent wide discretion (web scraping, generic web search, calling third‑party APIs), which can result in unexpected network requests, use of credentials not declared here, or inconsistent behavior. The instructions do say to only query after user authorization and to avoid storing exact coordinates, which is good, but they don't constrain which external endpoints to contact or how to authenticate.
Install Mechanism
No install spec or code is included; this is instruction-only, so nothing will be written to disk or installed by the skill itself.
Credentials
The skill declares no required environment variables, credentials, or config paths. That proportionality is appropriate for an instruction-only skill. Be aware that the agent may still request or use API keys at runtime unless providers are specified and constrained.
Persistence & Privilege
The skill is not always-enabled and can be invoked by the user; it does not request elevated persistence or modifications to other skills. Autonomous invocation is allowed by platform defaults but is not combined here with other concerning privileges.
What to consider before installing
This skill is small and matches its stated purpose, but it omits key operational details: it doesn't specify where to fetch POI data, how to authenticate to an API, or include the referenced STANDARD_RESPONSE.md. Before installing or enabling autonomous use, ask the publisher for (1) the data provider(s) the skill should use, (2) the STANDARD_RESPONSE.md schema, and (3) whether any API keys or billing-enabled services are required. If you allow the agent to call external APIs, restrict or audit which credentials it can access, and confirm the intended privacy behavior for user coordinates (e.g., how and when fuzzing/caching is applied). If you want to avoid unexpected web scraping or third‑party calls, require the skill to declare an explicit provider and credentials or disable autonomous invocation until those are provided.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dfeewkzf92ga8wbhmr4z8bn83fprk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments