Back to skill
Skillv1.0.0
ClawScan security
NZTA Traffic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 9:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent with its description: it queries the public Waka Kotahi traffic REST API and does not request secrets or install arbitrary code, but the package metadata omits required runtime binaries (curl, python3).
- Guidance
- This skill appears to do what it says: query the public Waka Kotahi traffic API and present results. Before installing or running, note that the included script requires curl and python3 even though the metadata doesn't declare them — ensure those binaries exist and are the versions you expect. The script makes outbound requests to https://trafficnz.info (and constructs image URLs from responses); if you have network egress restrictions or a security policy about contacting external hosts, consider running the script in a restricted environment or reviewing the script locally first. No secrets or unusual permissions are requested. If you want greater assurance, verify the domain and inspect the script yourself to confirm there are no modifications or unexpected network calls.
Review Dimensions
- Purpose & Capability
- noteThe name/description align with the code: the script queries the trafficnz.info REST API for events, journeys, and cameras. Minor incoherence: the registry metadata lists no required binaries, but the included script invokes curl and python3 (so those are implicitly required). No unrelated credentials or services are requested.
- Instruction Scope
- okSKILL.md and the script instruct the agent to call trafficnz.info endpoints and format results. The script does not read local files, environment variables, or system configuration beyond normal runtime, nor does it send data to endpoints other than the documented API and image URLs derived from responses.
- Install Mechanism
- okNo install spec — instruction-only with a bundled script. Nothing is downloaded from third-party URLs and no archives are extracted. Risk is limited to running the included script.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The script only performs unauthenticated HTTP GET requests to the public API, which is proportionate for the stated purpose.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system configuration, and is user-invocable only. It does not persist credentials or enable itself autonomously beyond normal skill behavior.