Camino Places.Bak
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Camino geocoding wrapper, but users should notice that it uses a Camino API key, sends place/address queries to Camino, and has some minor install/provenance ambiguity.
This skill looks benign for place lookup. Before installing, make sure you trust Camino with your search/address data, use a revocable API key, and avoid the broad “install all skills” command unless you have reviewed the other Camino skills too.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing the skill needs to provide a Camino API key, which may be tied to usage limits or billing on that service.
The script sends the user's Camino API key to the Camino API. This is expected for the integration, but it is still delegated account/API authority.
-H "X-API-Key: $CAMINO_API_KEY"
Use a dedicated Camino key if available, monitor usage, and revoke or rotate the key if you uninstall the skill or no longer need it.
Place searches, addresses, or other location details you submit may be processed by Camino's service.
The user-provided JSON search input is transmitted to Camino's external API. This is coherent with geocoding, but addresses and location searches can be sensitive.
-d "$INPUT" \
"https://api.getcamino.ai/search" | jq .Avoid submitting private addresses or sensitive location queries unless you are comfortable sharing them with Camino.
Following the broad install command could add additional skills that were not evaluated here.
The documentation recommends a user-run, unpinned install from a remote GitHub repository and installing the broader skill suite. This is not automatic, but it expands trust beyond the reviewed files.
Install all available skills from repo npx skills add https://github.com/barneyjm/camino-skills
Prefer installing only the specific skill you need, verify the repository and version first, and review any additional skills before enabling them.
The package identity is somewhat unclear, so users may have less confidence about its source and release lineage.
The bundled metadata differs from the registry listing for this evaluated package, which names camino-places-bak version 1.0.0 under a different owner ID. This creates provenance ambiguity but does not contradict the script's behavior.
"ownerId": "kn73ng22spp267sexbxw8wzd5n819akn", "slug": "camino-places", "version": "0.2.0"
Confirm the publisher and intended package name/version before installing, especially if you expected the non-backup Camino Places skill.