Safety Report

Goplaces

Name: Goplaces
Rating: 3 (24 reviews)
Author: steipete

Query Google Places API (New) via the goplaces CLI for text search, place details, resolve, and reviews. Use for human-friendly place lookup or JSON output for scripts.

12,844Downloads

713Installs

24Stars

1Versions

API Integration4,971 Search & Retrieval2,116 CLI & Shell Tools1,805 Database Management1,222

Security Analysis

medium confidence

Suspicious0.08 risk

The skill's runtime instructions (SKILL.md) reasonably describe a Google Places CLI that needs a Homebrew install and a GOOGLE_PLACES_API_KEY, but the registry metadata claims no required binaries or env vars—this inconsistency and the third-party Homebrew tap recommendation merit caution.

Feb 11, 20261 files3 concerns

Purpose & Capabilitynote

The SKILL.md describes a goplaces CLI that queries the Google Places API and requires the goplaces binary and a GOOGLE_PLACES_API_KEY—these are appropriate for the stated purpose. However, the registry-level 'Requirements' section lists no required binaries or env vars, which is inconsistent with the SKILL.md and suggests incomplete or incorrect metadata.

Instruction Scopeok

The instructions are narrowly scoped to installing and using the goplaces CLI and to setting GOOGLE_PLACES_API_KEY (and an optional base URL). They do not instruct the agent to read unrelated files, collect broad system context, or exfiltrate data to unexpected endpoints.

Install Mechanismnote

There is no install spec in the registry, but SKILL.md recommends installing steipete/tap/goplaces via Homebrew. Installing from a third-party Homebrew tap/PPA is common but carries more trust risk than official Homebrew/core packages — verify the tap/formula and repository before installing.

Credentialsconcern

Requesting GOOGLE_PLACES_API_KEY is proportional to the skill's purpose. The concern is the metadata mismatch: the registry claims no required env vars while SKILL.md requires one. This mismatch could lead to the agent not prompting for a necessary key or to misconfigured permissions. Also verify the API key is scoped and restricted (referrers/quota) before use.

Persistence & Privilegeok

The skill does not request permanent presence (always:false) and has no code/install that writes to disk via the registry. Autonomous model invocation is enabled (default) but that is expected and not a standalone concern here.

Guidance

Before installing or enabling this skill: 1) Note the inconsistency — the registry metadata lists no required binaries/env vars but SKILL.md requires the goplaces binary and GOOGLE_PLACES_API_KEY. Don't assume the agent will auto-provide the key. 2) Verify the Homebrew tap and the GitHub repo (https://github.com/steipete/goplaces) and inspect the formula before running brew install from steipete/tap; third-party taps can execute arbitrary install steps. 3) Create a Google API key limited to the Places API, set appropriate referrer/IP restrictions and quota limits, and avoid using a broadly-permissioned key. 4) If you prefer lower risk, install goplaces manually on a test system first and confirm behavior, or use an alternative integration that uses official packages. 5) If you enable the skill for autonomous use, be aware the agent could call the CLI when invoked — ensure the environment variable and binary are only present in contexts you trust.

Latest Release

v1.0.0

More by @steipete

Gog

672 stars

Github

267 stars

Weather

229 stars

Frontend Design

186 stars

Openai Whisper

173 stars

Nano Banana Pro

164 stars

Published by @steipete on ClawHub