Tabussen
v1.0.0Västerbotten & Umeå public transport trip planner (Tabussen/Ultra). Plans bus journeys using ResRobot API. Supports stops, addresses, coordinates, regional and local routes throughout Västerbotten county.
⭐ 1· 1.6k·0 current·0 all-time
by@simskii
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (ResRobot-based trip planner for Västerbotten/Umeå) matches the actual behavior: both scripts call api.resrobot.se and format journey/location results. However the registry metadata lists no required environment variables or primary credential even though the scripts clearly require RESROBOT_API_KEY to function. The requested credential itself (a Trafiklab/ResRobot API key) is proportional to the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run the included shell scripts (search-location.sh and journey.sh) and to present results formatted for users. The instructions limit activity to querying ResRobot and formatting output, and the scripts only access the network (api.resrobot.se) and standard tools (curl, jq). There are no instructions to read arbitrary local files, other env vars, or send data to unrelated endpoints.
Install Mechanism
No install spec is provided (instruction-only with bundled shell scripts). No remote downloads or package installs are performed by the skill; the included code is plain shell scripts. This is low risk from an installer perspective.
Credentials
The two shell scripts require RESROBOT_API_KEY (checked at runtime and used as accessId in API calls). Yet the registry metadata declares no required env vars or primary credential. This omission is an inconsistency: the requested secret is appropriate for the stated purpose, but the skill manifest failing to declare it means automated permission/credential checks will not surface the need and users may be surprised into providing the key elsewhere.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs as invoked and does not persist or escalate privileges; normal autonomous invocation is allowed (disable-model-invocation is false) which is standard.
What to consider before installing
This skill's code looks like a straightforward ResRobot (Trafiklab) trip planner implemented as two shell scripts and requires curl and jq. Before installing: (1) Note that the scripts require RESROBOT_API_KEY — the registry metadata omitted this; verify where you'll supply that key and make sure the manifest is corrected. (2) Confirm the skill's origin (owner slug present but no homepage/source URL) — unknown source increases risk. (3) Limit the API key permissions if possible and avoid sharing broader credentials. (4) Review the included scripts yourself (they are short shell scripts) or run them in an isolated environment to verify behavior. (5) If you expect the platform to manage credentials, ask the publisher to declare RESROBOT_API_KEY as a required env var/primary credential so permission checks are accurate.Like a lobster shell, security has layers — review code before you run it.
latestvk9766s5h9rcbkddwjg3dvsabg9802thq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.