spots

[Skill Scanner] Installation of third-party script detected Benign with caveats. The fragment aligns with a legitimate tool for exhaustive Google Places searches and reveals standard credential handling patterns. The primary concerns are secure handling of API keys and avoiding inadvertent exposure in logs or outputs; ensure the actual implementation enforces secure secret handling and minimal privilege usage. LLM verification: The provided SKILL.md describes a legitimate CLI utility that requires Google Places & Geocoding API access and instructs installation from GitHub. The document itself contains no explicit malicious code or hard-coded secrets, but it does present supply-chain and credential-exposure risks: installing unpinned remote code and handing a sensitive API key to a third-party binary. Without the repository source code and dependency tree, it is not possible to rule out credential exfiltration or other