goplaces
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Potential surface for indirect prompt injection. The skill processes external data from the Google Places API (search results, place details, and reviews) which could contain adversarial instructions. Ingestion points: API output from search results and location details fetched using the goplaces CLI. Boundary markers: Absent; the skill does not use delimiters or safety markers to isolate API data from agent instructions. Capability inventory: The skill can execute the goplaces binary on the local system. Sanitization: Absent; the skill does not perform validation or escaping of the retrieved API content.
- [EXTERNAL_DOWNLOADS]: The skill requires downloading the goplaces binary from a third-party Homebrew tap (steipete/tap/goplaces).
- [COMMAND_EXECUTION]: The skill's primary functionality is achieved through the execution of the goplaces command-line utility.
Audit Metadata