Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Translink CLI
v1.0.1Query, troubleshoot, and explain Translink SEQ GTFS static + realtime data using local translink_* commands or plugin slash commands. Use for schedule lookup...
⭐ 2· 523·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description match the runtime instructions: it expects local translink_* CLI commands and exposes schedule/realtime GTFS workflows. However, the registry metadata lists no required binaries while SKILL.md explicitly requires the translink_* CLI scripts in PATH (an un-declared prerequisite). That mismatch is a packaging/information inconsistency the user should confirm.
Instruction Scope
SKILL.md confines behavior to running local translink_* commands, reading local generated schema/docs, and using a local cache (~/.openclaw/cache/translink/). It instructs the agent to stop and ask the user if the CLI is not installed. There are no instructions to read unrelated system files, access external endpoints, or exfiltrate data.
Install Mechanism
There is no install spec (instruction-only), so nothing will be written to disk by the skill itself. The SKILL.md references a GitHub repo for the CLI, but the URL has an apparent typo ('traslink' vs. 'translink') — the skill does not attempt to download or install that code autonomously.
Credentials
The skill declares no required environment variables or credentials and does not request secrets. It does reference a local cache path (~/.openclaw/cache/translink/), which is consistent with its stated purpose and not a privileged credential access.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges or modifications to other skills. Model invocation is allowed (platform default) but this is expected for a user-invocable skill that runs CLI commands.
What to consider before installing
This skill is instruction-only and appears to be a thin adapter that calls local translink_* CLI scripts. Before installing or using it: 1) Confirm you actually have the translink_* CLI installed from a trusted source — SKILL.md requires those binaries but the registry metadata did not declare them. 2) Verify the referenced GitHub repo URL (SKILL.md contains a likely typo) and inspect the CLI scripts for any network calls or unexpected behavior before putting them on PATH. 3) Because the skill relies on a local cache path (~/.openclaw/cache/translink/), check file permissions and where that cache will be stored. 4) If you cannot inspect the CLI code, run it in an isolated environment (container or VM) first. The skill itself does not request secrets or try to auto-install code, so risk is low if you confirm the CLI source; the main issue is the packaging/documentation inconsistency which could hide an untrusted dependency.Like a lobster shell, security has layers — review code before you run it.
brisbanevk9736zxacpnmaz0bvk5fa1vcrs81pqtagtfsvk9736zxacpnmaz0bvk5fa1vcrs81pqtalatestvk974mfhhe3hb2wn3vekz27zvkn81pkhcopenclawvk9736zxacpnmaz0bvk5fa1vcrs81pqtatransitvk9736zxacpnmaz0bvk5fa1vcrs81pqta
License
MIT-0
Free to use, modify, and redistribute. No attribution required.