ClawHub

BusLah - Singapore Bus Arrivals

v1.0.0

One-word trigger for next bus arrival to your destination

0· 345·0 current·0 all-time
byAbhay Bhat@abhayjb·duplicate of @abhayjb/arrivelah
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md describes a multi-step natural-language flow (geocoding via OneMap, scanning routes.json, choosing nearest stops, direction checks, etc.). The included bus-arrival.sh, however, only reads config.json and queries a single default stop/service from arrivelah2. That means the shipped code does not implement the claimed functionality. Additionally, SKILL.md metadata mentions 'curl' while the registry metadata listed no required binaries; the script actually requires both curl and jq but jq is not declared.
Instruction Scope
The instructions themselves (use public OneMap and busrouter endpoints, compute distances, fetch arrivals) stay within the stated purpose and reference only public APIs. They do not instruct reading unrelated system files or exfiltrating secrets. The problem is they describe behavior not implemented in the bundled script, so runtime behavior may differ from the documentation.
Install Mechanism
There is no install spec (instruction-only skill with a bundled script), so nothing is downloaded or installed automatically. This is low-risk from an install-mechanism perspective.
Credentials
The skill requests no environment variables or credentials (appropriate). However, the script requires command-line tools: curl (mentioned in SKILL.md metadata) and jq (used by the script) — jq is not declared in the metadata. No secrets or unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and is user-invocable only. It does not request elevated privileges, does not modify other skills' configs, and does not persist beyond its included files.
What to consider before installing
This skill's documentation promises a full natural-language bus-route lookup (geocoding, route direction checks, nearest stops), but the bundled script only looks up a single configured stop/service from arrivelah2 using the included config.json. If you expected the full 'bus from <source> to <destination>' behavior, this package will not deliver it. Practical checks before installing: 1) Confirm the source/author (SKILL.md references a GitHub repo but registry 'source' is unknown). 2) If you plan to run the shipped script, ensure curl and jq are installed. 3) Inspect or edit config.json to avoid accidental queries for a stop/service you don't intend. 4) If you want the full NL/geocoding features, ask the author for the implementation or a corrected skill — the current mismatch could be sloppy packaging or an incomplete submission. There are no requested secrets and the endpoints used are public, so immediate data-exfiltration risk is low, but the functional mismatch is a real concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk971g3nhhz9r4kn9ahhjnkaqa9826s13

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments