ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cpbox-local-descriptions

v1.0.0

USE FOR getting AI-generated POI text descriptions. Requires POI IDs obtained from web-search (with result_filter=locations). Returns markdown descriptions g...

2· 112·0 current·0 all-time
byspringmint@sprintmint
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (AI-generated POI descriptions using POI IDs from a web-search) align with the runtime instructions: the SKILL.md documents calling a cpbox.io endpoint with POI IDs obtained from web-search (result_filter=locations). The listed service domains (cpbox.io, cppay.finance) are consistent with the described provider/facilitator roles.
Instruction Scope
Instructions are scoped to calling the cpbox.io API and obtaining POI IDs from a prior web-search step. However, the skill requires an external payment flow (x402) and refers to a README for setup; it tells the agent to use an external payment SDK which may execute network calls and prompt for signing. The instructions do not ask the agent to read local files or secrets, but they do direct execution of external tooling (npx) and network requests to third-party domains.
Install Mechanism
Instruction-only skill with no install spec and no code files. No packages are installed by the skill itself; risk comes from following the provided commands (e.g., using npx to run an external package) rather than from an installer embedded in the skill.
!
Credentials
The SKILL.md requires a payment setup (x402-payment) and recommends npx/@springmint/x402-payment or a go SDK, but the skill metadata declares no required environment variables or credentials. This is an inconsistency: the payment SDK or signing step will likely require keys, wallets, or other secrets which are not documented in the skill manifest, so it's unclear what sensitive data will be needed or transmitted to the facilitator (cppay.finance).
Persistence & Privilege
Skill is not always-enabled and does not request persistent or elevated platform privileges. It is user-invocable and does not declare modifying other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (generate AI descriptions for POIs) but relies on an external pay-per-use flow and an npm SDK that the skill does not declare credentials for. Before installing or running: 1) Inspect the payment flow and SDK (@springmint/x402-payment) separately — npx will fetch and execute code from npm, so review the package and its source first. 2) Verify what credentials or signing keys the x402 payment flow requires and which domain will receive them (cppay.finance/cpbox.io). 3) Confirm privacy and billing terms for cpbox.io and cppay.finance and whether any sensitive data (e.g., API keys, wallet keys) will be transmitted or stored. 4) If you must use the SDK, prefer installing and reviewing it locally (not blindly running npx), and only grant minimal, purpose-limited credentials. If you want higher assurance, request the skill author to declare required env vars and provide a clear README describing the exact credential and key handling.

Like a lobster shell, security has layers — review code before you run it.

latestvk972d5g776j0dakewvj1c09681838w88
112downloads
2stars
1versions
Updated 4h ago
v1.0.0
MIT-0
springmint@sprintmint
latest
Download

Local Descriptions (Search API)

Paid Local Descriptions proxy via x402 pay-per-use (HTTP 402).

Prerequisites: This skill requires x402-payment. Complete the setup steps before first use.

Two-step flow: This endpoint requires POI IDs from a prior web search.

  1. Call web-search with result_filter=locations to get POI IDs from locations.results[].id
  2. Pass those IDs to this endpoint to get AI-generated descriptions

Service URLs

RoleDomain
API Providerhttps://www.cpbox.io
Facilitatorhttps://www.cppay.finance

Endpoint (Agent Interface)

GET /api/x402/local-descriptions

Payment Flow (x402 Protocol)

  1. First request -> 402 Payment Required with requirements JSON
  2. Sign & retry with PAYMENT-SIGNATURE -> result JSON

With @springmint/x402-payment or x402-sdk-go, payment is automatic.

Quick Start (cURL)

Get POI Description

curl -s "https://www.cpbox.io/api/x402/local-descriptions?ids=loc4CQWMJWLD4VBEBZ62XQLJTGK6YCJEEJDNAAAAAAA%3D" \
  -H "Accept: application/json" \
  -H "Accept-Encoding: gzip"

Multiple POIs

curl -s "https://www.cpbox.io/api/x402/local-descriptions" \
  -H "Accept: application/json" \
  -H "Accept-Encoding: gzip" \
  -G \
  --data-urlencode "ids=loc4CQWMJWLD4VBEBZ62XQLJTGK6YCJEEJDNAAAAAAA=" \
  --data-urlencode "ids=loc4HTAVTJKP4RBEBZCEMBI3NG26YD4II4PATIHPDYI="

Note: POI IDs are opaque strings returned in web search locations.results[].id. They are valid for approximately 8 hours. The example IDs above are for illustration — fetch fresh IDs via web-search with result_filter=locations.

Using with x402-payment

npx @springmint/x402-payment \
  --url "https://www.cpbox.io/api/x402/local-descriptions?ids=loc4CQWMJWLD4VBEBZ62XQLJTGK6YCJEEJDNAAAAAAA%3D" \
  --method GET

Parameters

ParameterTypeRequiredDefaultDescription
idsstring[]YesPOI IDs from web search locations.results[].id (1-20, repeated: ?ids=a&ids=b)

Response Format

Response Fields

FieldTypeDescription
typestringAlways "local_descriptions"
resultsarrayList of description objects (entries may be null)
results[].typestringAlways "local_description"
results[].idstringPOI identifier matching the request
results[].descriptionstring?AI-generated markdown description, or null if unavailable

Example Response

{
  "type": "local_descriptions",
  "results": [
    {
      "type": "local_description",
      "id": "loc4CQWMJWLD4VBEBZ62XQLJTGK6YCJEEJDNAAAAAAA=",
      "description": "### Overview\nA cozy neighborhood cafe known for its **artisanal coffee**..."
    }
  ]
}

Getting POI IDs

POI IDs come from the Web Search API (web-search) with result_filter=locations:

# 1. Search for local businesses
curl -s "https://www.cpbox.io/api/x402/web-search?q=restaurants+san+francisco&result_filter=locations" \
  -H "Accept: application/json"

# 2. Extract POI IDs from locations.results[].id
# 3. Use those IDs with local/pois and local/descriptions

Use Cases

  • Local business overview: Pair with local-pois to get both structured data (hours, ratings) and narrative descriptions
  • Travel/tourism enrichment: Add descriptive context to POIs for travel planning or destination guides
  • Search results augmentation: Supplement web search results with AI-generated summaries of local businesses

Notes

  • Always markdown: Descriptions use ### headings, bullet lists, bold/italics — always formatted as markdown
  • Travel-guide tone: Typically 200-400 words covering what makes the POI notable
  • AI-generated: Descriptions are AI-generated based on web search context, not sourced from business profiles
  • Availability: Not all POIs have descriptions — description may be null
  • Max IDs: Up to 20 IDs per request

Comments

Loading comments...