google-maps-api

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] The module is a legitimate Google Maps Platform CLI/agent skill with powerful features that require a Google API key and can automate API enablement in a user's GCP Console. I found no evidence of intentional malicious behavior, obfuscation, or exfiltration to non-Google domains. Primary security concerns are accidental: (1) Playwright-driven automation of the Google Cloud Console can perform privileged changes and must require explicit, per-action consent and visible project selection; (2) improper handling or embedding of API keys (unrestricted single key, client-side injection) can lead to key exposure and billing abuse. Recommended safeguards: default to zero-key embed HTML, require explicit prompts/confirmations before any automated console actions (including a clear list of APIs to be enabled and target project shown), instruct and enforce API key restrictions (API-level, referrer/IP), prefer backend-proxy patterns for production, and avoid batch enablement without explicit, per-API confirmation. LLM verification: This document is a comprehensive, security-conscious specification and user guide for a Google Maps Platform CLI/AI agent skill. There is no evidence in the provided text of malware, obfuscation, or remote code execution. The primary security concerns are operational: accidental or intentional exposure of API keys (especially if users opt into Maps JS embedding), and the high-impact Playwright automation that can enable APIs in a user's Google Cloud project. Without the actual gmaps.py implement