petTracer pet tracking
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says—retrieve PetTracer location data and make map images—but it needs pet-tracking credentials, may send coordinates to Google Maps, and live tracking should be stopped deliberately.
This skill is reasonable for PetTracer users, but treat pet-location data as sensitive. Provide credentials only via environment variables, restrict/monitor the Google Maps key, use live tracking with an explicit time limit, and review generated map images before sharing them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and invoked, the agent can use your PetTracer account to read pet location data and can use your Google Maps key to generate map images.
The skill requires PetTracer account credentials or a bearer token, plus a Google Maps API key for screenshots. This is expected for the stated integration, but it gives the agent access to pet-location account data and billable map API usage.
`PETTRACER_USERNAME` ... `PETTRACER_PASSWORD`; `PETTRACER_TOKEN`; `GOOGLE_MAPS_API_KEY`
Use environment variables rather than pasting secrets into chat, restrict the Google Maps API key where possible, and rotate credentials if they are exposed.
Google receives the coordinates used to render the static map, and the resulting PNG may reveal the pet's or owner's location if shared.
Generating a map screenshot sends the pet's coordinates and the Google Maps key to Google's Static Maps API. This is purpose-aligned and disclosed, but the location is sensitive.
GOOGLE_STATIC_ENDPOINT = "https://maps.googleapis.com/maps/api/staticmap" ... "center": f"{lat},{lon}" ... "markers": marker ... "key": api_keyOnly request screenshots when you are comfortable sharing the location with the map provider, and avoid forwarding the generated PNG publicly.
A live tracking command could continue streaming location updates longer than intended if the agent or user does not stop it.
The live tracking client is designed to keep running and reconnect until stopped. This fits live tracking, but users should bound the runtime explicitly.
async def run_forever(self) ... while self._running: ... print(f"[pettracer_watch] reconnecting in {backoff_s}s"Run live tracking only on explicit request and wrap it with a clear timeout or stop condition, such as the exact number of minutes requested.
Installing the dependency later could pull a newer aiohttp version than the author tested.
The optional live-update dependency is version-ranged rather than pinned. This is common for simple scripts, but future dependency versions may change behavior.
aiohttp>=3.8
Install dependencies in an isolated virtual environment and consider pinning reviewed versions for repeatable use.