goplaces
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill metadata specifies the installation of the
goplacesbinary via a Homebrew tap (steipete/tap/goplaces). This is a legitimate distribution method for the author's own utility. - [COMMAND_EXECUTION]: The skill operates by executing the
goplacescommand-line tool to perform various Google Places API queries. The examples provided use standard flags for search, resolve, and detail operations. - [PROMPT_INJECTION]: The skill retrieves external data such as business reviews and descriptions from Google Places. This introduces an indirect prompt injection surface where malicious content within a review could attempt to influence the agent's behavior during processing. However, there are no instructions in the skill that bypass safety filters or encourage obedience to external data instructions.
- [CREDENTIALS_UNSAFE]: The skill correctly identifies the need for a
GOOGLE_PLACES_API_KEYenvironment variable. It does not provide any hardcoded secrets and follows standard practices for secret management by requiring the user to provide the key via the environment.
Audit Metadata