Search for places (restaurants, cafes, etc.) via Google Places API proxy on localhost.
Security Analysis
medium confidenceThe code and instructions mostly match a local Google Places proxy, but metadata/registry mismatches and an unusual dependency ('uv') plus undeclared environment usage make the package inconsistent and worth caution.
The source files implement a FastAPI server that proxies Google Places calls and the SKILL.md describes exactly that flow (resolve location → search → details). That capability matches the skill name and description. Minor oddities: pyproject uses the generic name 'my-api' and the FastAPI default server URL includes a personal hostname ('maxims-macbook-air:8000'), which looks like leftover developer config but does not break functionality.
SKILL.md instructs running a local FastAPI server and then curling local endpoints; the runtime instructions and the code line up. The instructions require a GOOGLE_PLACES_API_KEY and expect a .env file; the code reads that env var. Nothing in SKILL.md or the code asks to read unrelated sensitive files. However the SKILL.md metadata instructs use of a binary named 'uv' (uv venv, uv pip, uv run) — these commands appear throughout the docs and give runtime control to an unusual helper binary rather than standard tooling, which is unexpected and should be verified before use.
There is no install spec (no network download/install step) and the package includes Python source with a normal pyproject listing FastAPI and httpx. That is lower risk than an arbitrary URL installer. Still, the repo expects users to run commands that use a nonstandard 'uv' wrapper; since no install spec provided, verify what 'uv' is on your system before running those commands.
The code and SKILL.md use and declare a single environment variable GOOGLE_PLACES_API_KEY (and support overriding GOOGLE_PLACES_BASE_URL), which is appropriate for a Google Places proxy. However the registry metadata you provided shows no required envs or binaries, while SKILL.md metadata requires 'uv' and GOOGLE_PLACES_API_KEY and lists primaryEnv. This mismatch (registry vs SKILL.md vs code) is an incoherence. Also the ability to override GOOGLE_PLACES_BASE_URL means someone could point requests to a non-Google endpoint — if that happens, the server will send the API key in headers to whatever URL is set, so ensure BASE_URL is not changed to untrusted hosts.
The skill does not request always:true, does not modify other skills or system configuration, and has no unusual persistence claims. It only implements a local server; normal caution around running network servers applies.
Guidance
Things to check before installing/running: 1. Confirm the environment variable requirement: SKILL.md and the code require GOOGLE_PLACES_API_KEY. The registry metadata you saw did not list this — treat the SKILL.md as authoritative and only provide an API key with minimal privileges/billing safeguards. 2. Investigate the 'uv' binary referenced in SKILL.md (commands like 'uv venv', 'uv pip', 'uv run'). 'uv' is not a standard Python tool; find out what it is on your machine (which uv / inspect its contents) or run the setup steps using standard tools (python -m venv, pip, uvicorn) instead. 3. Pay attention to GOOGLE_PLACES_BASE_URL: it is overridable via env and defaults to the real Google endpoint. Do not point it to arbitrary hosts because the server will forward your API key in headers to that host. 4. Run the server in an isolated environment (local VM or container) and review the included source files yourself if possible — they are small and readable. Watch for any unexpected network traffic after startup. 5. Because registry metadata and SKILL.md disagree, prefer the code/README and consider asking the publisher (repo owner) for clarification or a release build with consistent metadata. If you cannot verify 'uv' or the metadata mismatch, treat this package with caution and run it isolated or not at all.
Latest Release
v1.0.0
More by @steipete
Published by @steipete on ClawHub
