ClawHub

Wheels Router

v0.5.0

Plan public transit trips globally using Wheels Router (Hong Kong) and Transitous (worldwide)

2· 1.7k·2 current·2 all-time
by@anscg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Wheels Router + Transitous routing) match the runtime instructions: the SKILL.md describes using an MCP server and Transitous for worldwide coverage. No unrelated credentials, binaries, or config paths are required.
Instruction Scope
Instructions tell the user/agent how to add an MCP server entry to local client config files and how to call tools (e.g., via npx mcporter or mcp-remote). This is within scope for a remote routing skill, but it does mean user queries (locations/times) will be sent to an external server (mcp.justusewheels.com). The SKILL.md does not instruct reading unrelated system secrets or files.
Install Mechanism
Skill has no install spec (lowest risk). However the instructions recommend running npx mcporter/mcp-remote commands which will fetch and run npm packages at runtime; this is expected for MCP clients but carries typical npx/remote-package risks (dynamic code fetched from npm).
Credentials
No environment variables, credentials, or config paths are declared as required. The SKILL.md only suggests editing local MCP client config files to add the remote server — that is proportional to the skill's function.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent presence or modify other skills' configs. It asks users to add an MCP server entry to their client config (normal for remote integrations).
Assessment
This skill is coherent for transit routing, but note that using it will send location/time queries to the external server at https://mcp.justusewheels.com/mcp. Only add the MCP entry or run the suggested npx commands if you trust that host. Be aware npx will fetch packages from npm (dynamic code execution risk); avoid sending highly sensitive locations or personal data to the service until you’ve verified the provider and its privacy practices. If you need stronger assurance, ask the publisher for a homepage, privacy policy, or an official release source for the MCP server and the npm packages referenced.

Like a lobster shell, security has layers — review code before you run it.

latestvk974d3zjngw4ggtrpbnsw0k4gs7zztx3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments