ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nearby Clinics

v0.1.0

Find nearby clinics. Invoke when user asks for a clinic near me.

0· 57·0 current·0 all-time
byClawKK@codekungfu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and declared inputs/outputs align: the skill is clearly for returning nearby clinics given a lat/lng, radius, limit, and optional filters. There are no declared capabilities that are unrelated to finding POIs.
!
Instruction Scope
SKILL.md defines inputs, outputs, triggers, and privacy guidance but does not specify any data providers, APIs, endpoints, or exact query mechanism. That vagueness gives the agent broad discretion to choose where to fetch POI data (potentially any external service). It also references STANDARD_RESPONSE.md which is not present in the manifest, creating an incomplete runtime spec.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing gets written to disk by an installer because there is no installer.
Credentials
The skill requests no environment variables or credentials, which is proportionate as declared. However, practical execution typically requires a mapping/places API key (Google, Mapbox, Foursquare, etc.); the absence of declared primary credentials means either the agent will attempt to use available network access or will prompt for keys at runtime. That omission reduces transparency about where sensitive API keys would be used.
Persistence & Privilege
always is false and the skill does not request persistent privileges or modify other skills. Normal autonomous invocation is allowed (platform default) but is not by itself a concern here.
What to consider before installing
This skill's functionality (finding nearby clinics) is reasonable, but the runtime instructions are incomplete. Before installing, ask the author to: 1) specify which data provider(s) the skill will call (e.g., Google Maps, Mapbox, Foursquare) and include the exact endpoints; 2) declare any required API keys or environment variables so you can control where credentials are used; 3) provide the referenced STANDARD_RESPONSE.md so you can verify the output format; and 4) confirm whether the agent will ask for explicit approval before making network requests. If you proceed without those clarifications, consider restricting the agent's network access or requiring user confirmation before the skill contacts external services, since the current spec allows the agent to choose arbitrary endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk977caz4av9jyq752v3396k6nh83ej8j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments