Is goplaces safe?

The skill installs a binary via 'brew install steipete/tap/goplaces', which pulls from a third-party Homebrew tap. Homebrew taps can contain arbitrary Ruby formula code and install compiled binaries. The trust chain extends beyond the skill package to the tap maintainer's GitHub repository and any binaries distributed through it.

The skill requires GOOGLE_PLACES_API_KEY to be set as an environment variable. While standard practice for API access, environment variables are accessible to all processes in the same session. The key could be logged or exposed if the agent prints debug output.

The optional GOOGLE_PLACES_BASE_URL environment variable allows overriding the API endpoint. If a user were tricked into setting this to a malicious server, all place queries and the API key would be sent to the attacker's endpoint. However, this requires explicit user action.

The goplaces CLI binary makes outbound HTTPS requests to Google Places API. As an external compiled binary, its behavior cannot be audited from the skill definition alone. Users must trust the binary author.

The SKILL.md contains only standard CLI documentation. No attempts to override system prompts, suppress output, manipulate agent personas, or chain with other skills in unexpected ways.

The filesystem monitoring shows reads of .env, .aws/credentials, .profile, .bashrc, and .openclaw/ config files. These are initiated by the openclaw agent framework during skill installation, not by the skill itself. The .aws/credentials read is notable but is framework behavior.