goplaces
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the 'goplaces' CLI utility from a third-party Homebrew tap ('steipete/tap/goplaces'). While the source is a personal repository, the developer is recognized in the macOS development community.
- [PROMPT_INJECTION]: The skill processes untrusted data from the Google Places API, such as reviews and place details (Ingestion: API responses via 'goplaces' CLI). No explicit boundary markers or delimiters are defined in the instructions to isolate this external content from agent instructions. The skill's documented capabilities are limited to querying and displaying information (Capability: Data retrieval and display). No specific sanitization or filtering of the API content is mentioned. This represents a standard indirect prompt injection surface common to data-retrieval tools.
Audit Metadata