goplaces
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- Unverifiable Dependencies (LOW): The skill installs the 'goplaces' binary via a non-trusted Homebrew tap ('steipete/tap/goplaces'). This constitutes an external download from a source not on the pre-approved whitelist.
- Indirect Prompt Injection (LOW): The skill processes data from the external Google Places API, which could be manipulated by third parties. Evidence Chain: 1. Ingestion points: API responses (reviews, place details) via goplaces CLI. 2. Boundary markers: Absent. 3. Capability inventory: Execution of CLI commands. 4. Sanitization: None detected in the skill definition.
Audit Metadata