← Back to Skills Marketplace
2351
Downloads
1
Stars
5
Active Installs
2
Versions
Install in OpenClaw
/install spots
Description
Exhaustive Google Places search using grid-based scanning. Finds ALL places, not just what Google surfaces.
Usage Guidance
This skill appears to be a wrapper around a third‑party CLI that performs grid-based queries of Google Places and therefore needs a Google Places + Geocoding API key. Before installing or running it: 1) Confirm the repository (https://github.com/foeken/spots) and review its code for any unexpected behavior (network calls, file access, telemetry). 2) Don't put your production-wide Google API key into a shared agent environment — create a key with minimal permissions and monitor usage/billing. 3) The registry metadata should have declared GOOGLE_PLACES_API_KEY; treat that omission as a red flag and avoid allowing the agent to auto-read environment secrets until the skill metadata is corrected. 4) If you use 1Password, verify how secrets are retrieved (do not give broad CLI/agent access to your vault without auditing). 5) If you want lower risk, run the CLI locally yourself (in an isolated environment) rather than giving the agent the ability to invoke the external binary automatically. If the registry is updated to explicitly declare the API key requirement and to provide an audited install or embed the vetted client code, confidence would increase.
Capability Analysis
Type: OpenClaw Skill
Name: spots
Version: 0.2.0
The skill is classified as suspicious due to two high-risk capabilities outlined in `SKILL.md`. First, the `go install github.com/foeken/spots@latest` instruction involves downloading and executing code from a remote source, which introduces a supply chain risk. Second, the `op://Echo/Google API Key/credential` instruction directs the agent to interact with a credential manager (1Password) to retrieve a sensitive API key. While these actions are presented as necessary for the skill's stated purpose, they represent powerful capabilities that could be exploited under different circumstances, thus exceeding the threshold for a benign classification.
Capability Assessment
Purpose & Capability
The skill's stated purpose (exhaustive Google Places/grid scanning) legitimately requires a Google Places + Geocoding API key, and the SKILL.md reflects that. However, the registry metadata lists no required environment variables or primary credential, which is inconsistent with the runtime instructions that say to export GOOGLE_PLACES_API_KEY.
Instruction Scope
The SKILL.md tells the agent/user to run a local binary (~/projects/spots/spots) or install via `go install github.com/foeken/spots@latest` and to export GOOGLE_PLACES_API_KEY. It references a 1Password path for the key. Instructions therefore: (a) expect an external, third-party binary to be executed (not provided by the skill), and (b) implicitly require the agent/environment to hold/read an API key not declared in metadata. There are no instructions that read unrelated system files, but running an arbitrary binary is a higher-scope action than an instruction-only skill usually requires.
Install Mechanism
There is no install spec in the registry (instruction-only). The SKILL.md recommends installing a Go binary from a third‑party GitHub repo (github.com/foeken/spots). That is a legitimate distribution method for a CLI, but the skill does not provide the binary itself nor vet it — installing/executing code from an external repo carries typical supply-chain risks and should be reviewed prior to installation.
Credentials
The runtime instructions require a GOOGLE_PLACES_API_KEY (and implicitly access to 1Password/its path) but the skill metadata did not declare any required env vars or primary credential. Requesting a Google API key is proportionate for the described purpose, but the missing declaration and the 1Password reference are inconsistent and could lead to accidental exposure of a sensitive key if the agent/environment is configured without the user's careful review.
Persistence & Privilege
The skill does not set always:true, does not request system config paths, and has no install-time persistence declared. Autonomous invocation is allowed (platform default), but there is no extra permanent presence or modification of other skills/config reported.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install spots - After installation, invoke the skill by name or use
/spots - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.0
Add --coords flag for direct lat,lng input, spots setup command, improved docs
v0.1.0
Initial release: exhaustive Google Places search with grid scanning, reviews command, coordinate input
Metadata
Frequently Asked Questions
What is spots?
Exhaustive Google Places search using grid-based scanning. Finds ALL places, not just what Google surfaces. It is an AI Agent Skill for Claude Code / OpenClaw, with 2351 downloads so far.
How do I install spots?
Run "/install spots" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is spots free?
Yes, spots is completely free (open-source). You can download, install and use it at no cost.
Which platforms does spots support?
spots is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created spots?
It is built and maintained by Dreetje (@foeken); the current version is v0.2.0.
More Skills