Skills
skills/elizaos/eliza/local-places/Gen Agent Trust Hub

local-places

Pass

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [Indirect Prompt Injection] (LOW): The skill ingests and processes untrusted data from an external source (Google Places API), which could contain malicious instructions designed to influence the agent.
  • Ingestion points: Data enters the agent context through the search results returned by search_places and get_place_details in src/local_places/google_places.py.
  • Boundary markers: None identified. The instructions in SKILL.md do not specify delimiters to isolate API responses from agent instructions.
  • Capability inventory: The skill performs network operations via httpx to external endpoints.
  • Sanitization: No sanitization or validation of the text content returned from the Google API (e.g., place names, addresses) is performed before presentation to the agent.
  • [Data Exfiltration] (LOW): The skill communicates with https://places.googleapis.com, which is a non-whitelisted external domain. While this is the intended functionality for a Google Places skill, it technically meets the criteria for a low-severity network finding.
  • [Data Exfiltration] (LOW): The FastAPI server is configured in src/local_places/main.py and SERVER_README.md to bind to 0.0.0.0. This exposes the local API—and by extension, the user's GOOGLE_PLACES_API_KEY usage—to the entire local network without authentication.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 18, 2026, 06:11 PM