ClawHub

Location Awareness

v1.2.0

Location awareness via privacy-friendly GPS tracking (Home Assistant, OwnTracks, GPS Logger). Set location-based reminders and ask about movement history, travel time, and nearby POIs.

5· 2.2k·3 current·3 all-time
by@hegghammer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (privacy-friendly GPS tracking, Home Assistant/OwnTracks/GPSLogger support) match the included code: providers for Home Assistant, OwnTracks, generic HTTP and a file-based GPSLogger are implemented. The only required binary is python3 which is appropriate. Minor inconsistency: the registry metadata lists no required environment variables, yet the skill explicitly supports/reads many provider-related env vars (HA_TOKEN, HA_URL, OWNTRACKS_TOKEN, LOCATION_HTTP_URL, GPSLOGGER_FILE, LOCATION_PROVIDER), which are necessary for operation when used with remote services.
Instruction Scope
SKILL.md confines runtime actions to running scripts/location.sh which execs location.py and documents the exact commands the agent should run. The runtime instructions and code reference config.json, geofences.json and optionally env vars or ~/.openclaw/.env. The agent is instructed to run the local script and return its output; the instructions do not ask the agent to read arbitrary unrelated files or network endpoints beyond the configured providers. Important: the wrapper will source ~/.openclaw/.env if present, exposing any credentials stored there to the skill.
Install Mechanism
No install spec; the skill is delivered as files and requires an existing python3 on PATH. No downloads or archive extraction are performed by the skill itself, which is low-risk from an install perspective.
Credentials
The skill legitimately needs provider credentials/URLs to access Home Assistant, OwnTracks, or an HTTP endpoint. However, the registry metadata declares no required env vars or primary credential while SKILL.md and the code clearly support many sensitive env vars (HA_TOKEN, HA_URL, OWNTRACKS_TOKEN, LOCATION_HTTP_URL, GPSLOGGER_FILE, etc.). This mismatch is a transparency/metadata issue: users should expect to supply secrets if they want full functionality. The skill does not request unrelated credentials (e.g. AWS keys) and reads only provider-configured endpoints and files.
Persistence & Privilege
always:false (no forced inclusion) and the skill does not request elevated privileges. It stores its geofence/reminder/state files in its script directory (geofences.json, .location_state.json), which is normal for a local skill. It does source ~/.openclaw/.env (via the provided wrapper) which is documented — this gives the skill access to any credentials the user places there, so users should ensure that file only contains intended variables.
Assessment
This skill appears to be what it says: a local location-aware helper that talks to Home Assistant, OwnTracks, a generic HTTP endpoint, or a local GPSLogger file. Before installing or enabling it: - Review scripts/config.json and scripts/location.py to confirm provider URLs and tokens are correct and point to your own services. Don't use tokens from other services. - Understand it will handle highly sensitive location data and may send requests to whichever provider URL you configure (e.g., Home Assistant or an HTTP endpoint). If you configure a third-party HTTP URL, that service will receive your coordinates. - The wrapper automatically sources ~/.openclaw/.env; check that file for any secrets you don't want the skill to read. - The registry metadata omits declaring required env vars; expect to provide HA_TOKEN/HA_URL, OWNTRACKS_TOKEN/OWNTRACKS_URL, or LOCATION_HTTP_URL (depending on provider) for full functionality. - If you want additional assurance, inspect the remainder of scripts/location.py (the truncated portion) to confirm there are no unexpected network calls or remote endpoints beyond configured providers. If you do not trust the skill, run it in an isolated environment or omit provider credentials so it cannot contact external services.

Like a lobster shell, security has layers — review code before you run it.

latestvk97abtjrqq6m7kzvxp9va723x980rg44

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📍 Clawdis
Binspython3

Comments