NZTA Traffic
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it says: query public NZTA traffic data, with only minor notes about outbound API requests and undeclared command-line dependencies.
This looks safe for checking public New Zealand highway traffic information. Be aware that it sends your traffic query to trafficnz.info and requires common local tools that are not declared in the metadata.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your road, region, journey, or camera query is sent to the public trafficnz.info service.
This shows the skill uses curl to make outbound requests to the disclosed NZTA traffic endpoint. That is expected for a real-time traffic lookup skill and is not paired with credential access or local data collection.
BASE_URL="https://trafficnz.info/service/traffic/rest/4" ... curl -sf --max-time "$TIMEOUT" -H "$ACCEPT" "${BASE_URL}/${path}"Use it for public traffic lookups and avoid entering unrelated sensitive information as query parameters.
The skill may fail or behave differently on systems without these tools installed.
The script depends on bash, curl, and python3, while the registry requirements declare no required binaries. This is an under-declared dependency issue, not evidence of malicious behavior.
#!/bin/bash ... curl -sf --max-time "$TIMEOUT" ... echo "$result" | python3 -c
Before use, confirm that bash, curl, and python3 are available in the environment.