Exhaustive Google Places search using grid-based scanning. Finds ALL places, not just what Google surfaces.
Security Analysis
medium confidenceThe skill's instructions require a Google Places API key and reference pulling/using a third‑party binary, but the registry metadata does not declare the required credential or installation — this mismatch and the need to execute external code warrants caution.
The skill's stated purpose (exhaustive Google Places/grid scanning) legitimately requires a Google Places + Geocoding API key, and the SKILL.md reflects that. However, the registry metadata lists no required environment variables or primary credential, which is inconsistent with the runtime instructions that say to export GOOGLE_PLACES_API_KEY.
The SKILL.md tells the agent/user to run a local binary (~/projects/spots/spots) or install via `go install github.com/foeken/spots@latest` and to export GOOGLE_PLACES_API_KEY. It references a 1Password path for the key. Instructions therefore: (a) expect an external, third-party binary to be executed (not provided by the skill), and (b) implicitly require the agent/environment to hold/read an API key not declared in metadata. There are no instructions that read unrelated system files, but running an arbitrary binary is a higher-scope action than an instruction-only skill usually requires.
There is no install spec in the registry (instruction-only). The SKILL.md recommends installing a Go binary from a third‑party GitHub repo (github.com/foeken/spots). That is a legitimate distribution method for a CLI, but the skill does not provide the binary itself nor vet it — installing/executing code from an external repo carries typical supply-chain risks and should be reviewed prior to installation.
The runtime instructions require a GOOGLE_PLACES_API_KEY (and implicitly access to 1Password/its path) but the skill metadata did not declare any required env vars or primary credential. Requesting a Google API key is proportionate for the described purpose, but the missing declaration and the 1Password reference are inconsistent and could lead to accidental exposure of a sensitive key if the agent/environment is configured without the user's careful review.
The skill does not set always:true, does not request system config paths, and has no install-time persistence declared. Autonomous invocation is allowed (platform default), but there is no extra permanent presence or modification of other skills/config reported.
Guidance
This skill appears to be a wrapper around a third‑party CLI that performs grid-based queries of Google Places and therefore needs a Google Places + Geocoding API key. Before installing or running it: 1) Confirm the repository (https://github.com/foeken/spots) and review its code for any unexpected behavior (network calls, file access, telemetry). 2) Don't put your production-wide Google API key into a shared agent environment — create a key with minimal permissions and monitor usage/billing. 3) The registry metadata should have declared GOOGLE_PLACES_API_KEY; treat that omission as a red flag and avoid allowing the agent to auto-read environment secrets until the skill metadata is corrected. 4) If you use 1Password, verify how secrets are retrieved (do not give broad CLI/agent access to your vault without auditing). 5) If you want lower risk, run the CLI locally yourself (in an isolated environment) rather than giving the agent the ability to invoke the external binary automatically. If the registry is updated to explicitly declare the API key requirement and to provide an audited install or embed the vetted client code, confidence would increase.
Latest Release
v0.2.0
Add --coords flag for direct lat,lng input, spots setup command, improved docs
More by @foeken
Published by @foeken on ClawHub
