Goplaces
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Google Places CLI skill with no evidence of hidden or destructive behavior, but it relies on a Google API key, a Homebrew-installed binary, and an optional proxy endpoint.
This skill appears safe for its stated purpose. Before installing, make sure you trust the Homebrew tap, use a restricted Google Places API key with quota or billing controls, and do not configure GOOGLE_PLACES_BASE_URL unless you know and trust the proxy endpoint.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume Google Places API quota or incur charges tied to the configured API key.
The skill requires a Google Places API credential, which is expected for its purpose but can authorize API usage and possible billing on the user's Google account.
`GOOGLE_PLACES_API_KEY` required.
Use a scoped Google Places API key with appropriate quota and billing limits, and avoid sharing the key in prompts, logs, or public files.
The installed CLI will run locally with the user's environment, including access to the configured Google Places API key.
The skill depends on installing an external executable from a Homebrew tap. This is disclosed and central to the skill, but users are trusting that package source.
Homebrew: `brew install steipete/tap/goplaces`
Install only if you trust the referenced Homebrew tap and project source, and keep the package updated through normal Homebrew channels.
If pointed at an untrusted endpoint, place queries and related request data could be exposed outside the normal Google Places API path.
The documented base URL override can route API requests through a non-default testing or proxy endpoint if the user configures it.
Optional: `GOOGLE_PLACES_BASE_URL` for testing/proxying.
Leave GOOGLE_PLACES_BASE_URL unset unless you intentionally use a trusted testing or proxy service.