Security Audit

goplaces

github.com/openclaw/openclaw

AI SkillCommit b62bd290cb4e

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

goplaces received a trust score of 93/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Reliance on third-party Homebrew tap for installation, Skill requires sensitive API key.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	Reliance on third-party Homebrew tap for installation The skill's installation method specifies a third-party Homebrew tap (`steipete/tap/goplaces`). Relying on external, non-official taps introduces a supply chain risk. A compromise of the tap maintainer's account or the upstream `goplaces` project could lead to the distribution of malicious software through this installation channel. Consider using official package repositories, vendoring the dependency, or implementing stricter integrity checks for third-party dependencies. Evaluate the trustworthiness and security practices of the `steipete/tap` maintainer.	Static	SKILL.md
INFO	Skill requires sensitive API key The skill explicitly requires the `GOOGLE_PLACES_API_KEY` environment variable to function. This indicates that the skill will handle a sensitive credential. Secure management and transmission of this key by the LLM's execution environment are critical to prevent unauthorized access to the Google Places API. Ensure the LLM environment securely stores and passes API keys, using mechanisms like secret management services or environment variable isolation. Avoid hardcoding credentials within the skill's logic or documentation.	Static	SKILL.md

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/789e26ddfb216e19.svg)](https://skillshield.io/report/789e26ddfb216e19)