Local Places
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill mostly matches its stated Google Places proxy purpose, but its bundled server instructions/code can expose the proxy beyond localhost and an undocumented endpoint override could redirect the API key.
Before installing, confirm you will run the server bound to 127.0.0.1, check that GOOGLE_PLACES_BASE_URL is unset or trusted, and understand that your search/location queries and API key are used to call Google Places.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed on a shared network, other devices may be able to call the proxy and indirectly consume the user's Google Places API quota or charges.
This bundled run instruction binds the Google Places proxy to all network interfaces, while the skill description says it is a localhost proxy.
uv run --env-file .env uvicorn local_places.main:app --host 0.0.0.0 --reload
Run the server only on 127.0.0.1 unless intentional network exposure is needed, and add authentication or network controls before binding to 0.0.0.0.
If GOOGLE_PLACES_BASE_URL is set unexpectedly, the API key and place/location queries could be sent to a non-Google endpoint.
The code sends the Google Places API key in request headers, but the destination base URL can be changed by an undeclared environment variable.
GOOGLE_PLACES_BASE_URL = os.getenv("GOOGLE_PLACES_BASE_URL", "https://places.googleapis.com/v1") ... "X-Goog-Api-Key": api_keyDocument this override clearly, validate that it only points to trusted endpoints, or remove it for normal skill use.
Installing and running the package gives the included server code local execution on the user's machine.
The skill requires the user to install and run a local Python FastAPI server, which is central to the stated local proxy purpose.
uv venv && uv pip install -e ".[dev]" uv run --env-file .env uvicorn local_places.main:app --host 127.0.0.1 --port 8000
Review the included Python files and run the server with the localhost binding shown in SKILL.md.
Place searches and approximate locations are shared with the external Places API provider as part of normal operation.
Search terms, location text, location bias, and the API key are sent to the configured Google Places API endpoint.
response = client.request(method=method, url=url, headers=_api_headers(field_mask), json=payload)
Use the skill only for queries you are comfortable sending to Google Places, and keep the API key private.