Back to skill
Skillv1.0.0
ClawScan security
Goplaces · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 8:21 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's runtime instructions (SKILL.md) reasonably describe a Google Places CLI that needs a Homebrew install and a GOOGLE_PLACES_API_KEY, but the registry metadata claims no required binaries or env vars—this inconsistency and the third-party Homebrew tap recommendation merit caution.
- Guidance
- Before installing or enabling this skill: 1) Note the inconsistency — the registry metadata lists no required binaries/env vars but SKILL.md requires the goplaces binary and GOOGLE_PLACES_API_KEY. Don't assume the agent will auto-provide the key. 2) Verify the Homebrew tap and the GitHub repo (https://github.com/steipete/goplaces) and inspect the formula before running brew install from steipete/tap; third-party taps can execute arbitrary install steps. 3) Create a Google API key limited to the Places API, set appropriate referrer/IP restrictions and quota limits, and avoid using a broadly-permissioned key. 4) If you prefer lower risk, install goplaces manually on a test system first and confirm behavior, or use an alternative integration that uses official packages. 5) If you enable the skill for autonomous use, be aware the agent could call the CLI when invoked — ensure the environment variable and binary are only present in contexts you trust.
Review Dimensions
- Purpose & Capability
- noteThe SKILL.md describes a goplaces CLI that queries the Google Places API and requires the goplaces binary and a GOOGLE_PLACES_API_KEY—these are appropriate for the stated purpose. However, the registry-level 'Requirements' section lists no required binaries or env vars, which is inconsistent with the SKILL.md and suggests incomplete or incorrect metadata.
- Instruction Scope
- okThe instructions are narrowly scoped to installing and using the goplaces CLI and to setting GOOGLE_PLACES_API_KEY (and an optional base URL). They do not instruct the agent to read unrelated files, collect broad system context, or exfiltrate data to unexpected endpoints.
- Install Mechanism
- noteThere is no install spec in the registry, but SKILL.md recommends installing steipete/tap/goplaces via Homebrew. Installing from a third-party Homebrew tap/PPA is common but carries more trust risk than official Homebrew/core packages — verify the tap/formula and repository before installing.
- Credentials
- concernRequesting GOOGLE_PLACES_API_KEY is proportional to the skill's purpose. The concern is the metadata mismatch: the registry claims no required env vars while SKILL.md requires one. This mismatch could lead to the agent not prompting for a necessary key or to misconfigured permissions. Also verify the API key is scoped and restricted (referrers/quota) before use.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) and has no code/install that writes to disk via the registry. Autonomous model invocation is enabled (default) but that is expected and not a standalone concern here.