google-maps-api
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- CREDENTIALS_UNSAFE (LOW): The skill requires a GOOGLE_MAPS_API_KEY. The README notes that for personal use, the key is embedded in generated interactive HTML pages, which creates a risk of accidental exposure if these files are shared or accessed by unauthorized local processes.
- EXTERNAL_DOWNLOADS (LOW): The README contains a contradiction, claiming zero dependencies while also mentioning Playwright for browser automation during API enablement. This implies potential undeclared dependencies or runtime installation not explicitly listed in the package manifest.
- REMOTE_CODE_EXECUTION (LOW): The installation instruction 'claude skill install tivojn/google-maps-api-skill' downloads and executes code from an untrusted third-party GitHub repository. While standard for skill distribution, the source is not a recognized trusted organization.
- Indirect Prompt Injection (LOW): Ingestion points: gmaps.py fetches data from 20+ Google Maps APIs, including Place Search and Reviews which contain user-generated content. Boundary markers: Absent in documentation for HTML generation. Capability inventory: Network access via urllib and local file writing. Sanitization: Not specified; API responses could contain malicious payloads targeting the agent context or generated HTML (XSS).
Audit Metadata