{"skill":{"slug":"skedgo-tripgo-api","displayName":"SkedGo TripGo API","summary":"Comprehensive interface for the SkedGo TripGo API, covering routing, public transport, trips, and location services. Use for multimodal journey planning, pub...","tags":{"latest":"1.0.3"},"stats":{"comments":0,"downloads":353,"installsAllTime":0,"installsCurrent":0,"stars":0,"versions":3},"createdAt":1772238410753,"updatedAt":1777525456988},"latestVersion":{"version":"1.0.3","createdAt":1772241958350,"changelog":"# skedgo-tripgo-api v1.0.3 (metadata + webhook guardrails)\n\n## ✅ Registry metadata coherence fix\nUpdated `SKILL.md` frontmatter to include machine-readable OpenClaw requirements so ClawHub can correctly display runtime requirements:\n\n- Required env var: `TRIPGO_API_KEY`\n- Required binaries: `curl`, `jq`\n- Primary credential env: `TRIPGO_API_KEY`\n\nAdded frontmatter:\n```yaml\nmetadata: {\"openclaw\":{\"requires\":{\"bins\":[\"curl\",\"jq\"],\"env\":[\"TRIPGO_API_KEY\"]},\"primaryEnv\":\"TRIPGO_API_KEY\"}}\n```\n\n## 🔒 Webhook exfiltration-risk mitigation\nHardened `scripts/trips-hooks-a-trip-to-real-time-updates.sh` with default-safe webhook policy:\n\n1. Enforce `https://` webhook URLs only.\n2. Parse and validate webhook host.\n3. Require domain allowlist by default via:\n   - `TRIPGO_WEBHOOK_ALLOWLIST=example.com,webhooks.example.org`\n4. Allow bypass only with explicit opt-in:\n   - `TRIPGO_ALLOW_UNSAFE_WEBHOOK=true`\n5. Keep JSON input validation for headers and safe JSON body construction via `jq`.\n\nThis preserves legitimate TripGo webhook functionality while reducing abuse potential from arbitrary callback destinations.\n\n## Docs updates\nUpdated `SKILL.md` to document:\n- `TRIPGO_WEBHOOK_ALLOWLIST` (recommended)\n- `TRIPGO_ALLOW_UNSAFE_WEBHOOK` (debug/trusted use only)\n- security behavior for webhook registration\n\n## Verification\n- `bash -n` passed for updated webhook script.\n- Manual behavior checks confirm:\n  - missing allowlist => blocked\n  - non-allowlisted host => blocked\n  - only allowlisted hosts (or explicit unsafe override) can proceed\n\n---\n\nSuggested release note summary:\n> Fixes ClawHub metadata mismatch and adds secure-by-default webhook controls (HTTPS + allowlist, with explicit unsafe override) to reduce potential exfiltration risk while keeping TripGo hook support intact.","license":null},"metadata":{"os":null,"systems":null},"owner":{"handle":"guanyu-zhang","userId":"publishers:guanyu-zhang","displayName":"Guanyu Zhang","image":"https://avatars.githubusercontent.com/u/63548771?v=4"},"moderation":null}