← 返回 Skills 市场
2351
总下载
1
收藏
5
当前安装
2
版本数
在 OpenClaw 中安装
/install spots
功能描述
Exhaustive Google Places search using grid-based scanning. Finds ALL places, not just what Google surfaces.
安全使用建议
This skill appears to be a wrapper around a third‑party CLI that performs grid-based queries of Google Places and therefore needs a Google Places + Geocoding API key. Before installing or running it: 1) Confirm the repository (https://github.com/foeken/spots) and review its code for any unexpected behavior (network calls, file access, telemetry). 2) Don't put your production-wide Google API key into a shared agent environment — create a key with minimal permissions and monitor usage/billing. 3) The registry metadata should have declared GOOGLE_PLACES_API_KEY; treat that omission as a red flag and avoid allowing the agent to auto-read environment secrets until the skill metadata is corrected. 4) If you use 1Password, verify how secrets are retrieved (do not give broad CLI/agent access to your vault without auditing). 5) If you want lower risk, run the CLI locally yourself (in an isolated environment) rather than giving the agent the ability to invoke the external binary automatically. If the registry is updated to explicitly declare the API key requirement and to provide an audited install or embed the vetted client code, confidence would increase.
功能分析
Type: OpenClaw Skill
Name: spots
Version: 0.2.0
The skill is classified as suspicious due to two high-risk capabilities outlined in `SKILL.md`. First, the `go install github.com/foeken/spots@latest` instruction involves downloading and executing code from a remote source, which introduces a supply chain risk. Second, the `op://Echo/Google API Key/credential` instruction directs the agent to interact with a credential manager (1Password) to retrieve a sensitive API key. While these actions are presented as necessary for the skill's stated purpose, they represent powerful capabilities that could be exploited under different circumstances, thus exceeding the threshold for a benign classification.
能力评估
Purpose & Capability
The skill's stated purpose (exhaustive Google Places/grid scanning) legitimately requires a Google Places + Geocoding API key, and the SKILL.md reflects that. However, the registry metadata lists no required environment variables or primary credential, which is inconsistent with the runtime instructions that say to export GOOGLE_PLACES_API_KEY.
Instruction Scope
The SKILL.md tells the agent/user to run a local binary (~/projects/spots/spots) or install via `go install github.com/foeken/spots@latest` and to export GOOGLE_PLACES_API_KEY. It references a 1Password path for the key. Instructions therefore: (a) expect an external, third-party binary to be executed (not provided by the skill), and (b) implicitly require the agent/environment to hold/read an API key not declared in metadata. There are no instructions that read unrelated system files, but running an arbitrary binary is a higher-scope action than an instruction-only skill usually requires.
Install Mechanism
There is no install spec in the registry (instruction-only). The SKILL.md recommends installing a Go binary from a third‑party GitHub repo (github.com/foeken/spots). That is a legitimate distribution method for a CLI, but the skill does not provide the binary itself nor vet it — installing/executing code from an external repo carries typical supply-chain risks and should be reviewed prior to installation.
Credentials
The runtime instructions require a GOOGLE_PLACES_API_KEY (and implicitly access to 1Password/its path) but the skill metadata did not declare any required env vars or primary credential. Requesting a Google API key is proportionate for the described purpose, but the missing declaration and the 1Password reference are inconsistent and could lead to accidental exposure of a sensitive key if the agent/environment is configured without the user's careful review.
Persistence & Privilege
The skill does not set always:true, does not request system config paths, and has no install-time persistence declared. Autonomous invocation is allowed (platform default), but there is no extra permanent presence or modification of other skills/config reported.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install spots - 安装完成后,直接呼叫该 Skill 的名称或使用
/spots触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.0
Add --coords flag for direct lat,lng input, spots setup command, improved docs
v0.1.0
Initial release: exhaustive Google Places search with grid scanning, reviews command, coordinate input
元数据
常见问题
spots 是什么?
Exhaustive Google Places search using grid-based scanning. Finds ALL places, not just what Google surfaces. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2351 次。
如何安装 spots?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install spots」即可一键安装,无需额外配置。
spots 是免费的吗?
是的,spots 完全免费(开源免费),可自由下载、安装和使用。
spots 支持哪些平台?
spots 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 spots?
由 Dreetje(@foeken)开发并维护,当前版本 v0.2.0。
推荐 Skills