← Back to Directory

Local Places

Scanned on 2/7/2026

72/100low

Google Places API integration with proper error handling but has path injection vulnerability and lacks input validation on critical parameters.

Trust Score
72/100
Risk Level
medium
Issues Found
6

Security Analysis

This OpenClaw skill integrates with Google Places API and demonstrates several good security practices including proper error handling, timeouts, and structured data validation. However, it has a significant path injection vulnerability in the get_place_details function where the place_id parameter is directly interpolated into the URL without validation. An attacker could potentially inject path traversal sequences or manipulate the API endpoint. Additionally, the GOOGLE_PLACES_BASE_URL can be overridden via environment variable, which could redirect API calls (and the API key) to malicious endpoints. The code shows no signs of intentional malicious behavior, but these vulnerabilities could be exploited if an attacker can control the environment variables or input parameters. The incomplete resolve_locations function prevents full assessment. Overall, this represents moderate risk that should be addressed before production use, particularly the input validation issues.

Security Findings

high - code-execution

Path injection vulnerability in get_place_details function - place_id parameter is directly interpolated into URL without validation or sanitization

Evidence:

url = f"{GOOGLE_PLACES_BASE_URL}/places/{place_id}"
Recommendation: Validate place_id against a strict pattern (alphanumeric/hyphens only) or use URL encoding. Add input validation to ensure place_id matches expected format before constructing URL.
medium - network

GOOGLE_PLACES_BASE_URL can be overridden via environment variable, allowing redirection of API calls to arbitrary endpoints

Evidence:

GOOGLE_PLACES_BASE_URL = os.getenv("GOOGLE_PLACES_BASE_URL", "https://places.googleapis.com/v1")
Recommendation: Remove environment variable override or restrict to allowlist of trusted domains. Hardcode the Google Places API URL or validate the URL scheme and domain.
medium - credentials

API key is sent in headers to potentially untrusted endpoints if GOOGLE_PLACES_BASE_URL is modified

Evidence:

"X-Goog-Api-Key": api_key sent to GOOGLE_PLACES_BASE_URL which can be overridden
Recommendation: Ensure API key is only sent to verified Google domains. Implement domain validation before sending credentials.
low - network

No rate limiting or request throttling implemented, could lead to API quota exhaustion or abuse

Evidence:

Direct API calls without rate limiting in search_places, get_place_details, resolve_locations
Recommendation: Implement rate limiting middleware or use a request throttling mechanism to prevent abuse.
low - other

Incomplete code - resolve_locations function is truncated and may contain additional vulnerabilities

Evidence:

def resolve_locations(request: LocationResolveRequest) -> LocationResolveResponse: url = f"{GOOGLE_PLACES_BASE_URL}/places:searchTex
Recommendation: Review complete implementation of resolve_locations function for security issues.
info - other

Error messages may leak sensitive information about internal API structure

Evidence:

logger.error logs include full response text which may contain sensitive data
Recommendation: Sanitize error logs to remove potentially sensitive information before logging.

✅ Good Security Practices

  • Uses environment variables for API key management instead of hardcoding
  • Implements proper timeout (10 seconds) for HTTP requests
  • Uses structured error handling with HTTPException
  • Employs field masks to limit data exposure from Google API
  • Uses type hints and Pydantic schemas for input validation
  • Proper exception handling for network errors and JSON parsing
  • No use of dangerous functions like eval() or exec()
  • No obvious obfuscation or encoding attempts

Source Information

ClawHub Page:clawhub.com/skills/local-places
Source URL:/opt/homebrew/lib/node_modules/openclaw/skills/local-places
Code Size:14,133 characters
Semgrep Findings:0