Capmetro Skill
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to be a coherent CapMetro transit-data helper that fetches public data and caches schedule files locally, with only routine setup and local-command notes.
This looks safe for its stated purpose. Before installing, be aware that it uses Node/npm, downloads public CapMetro data from data.texas.gov, runs `unzip` for the GTFS cache, and stores schedule files under `~/.capmetro/gtfs/`. Verify the package includes the referenced proto file if you need protobuf-based real-time features.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may install npm packages needed to parse transit feeds.
The skill asks users to install a third-party npm dependency for protobuf parsing. This is disclosed and purpose-aligned, but it means installation depends on the npm package supply chain.
command: "npm install --prefix $SKILL_DIR protobufjs"
Install from the published package or repository you trust, prefer the included lockfile where possible, and review dependency updates before upgrading.
Running the refresh command will execute `unzip` locally and overwrite files inside the CapMetro GTFS cache directory.
The refresh command invokes the local `unzip` binary to extract the downloaded GTFS static feed into the skill's cache directory. The command uses fixed arguments and is central to the stated purpose.
execFileSync('unzip', ['-o', tmpZip, '-d', GTFS_DIR], { stdio: 'pipe' });Run `refresh-gtfs` only when you intend to download or update the local schedule cache, and keep the cache directory scoped to `~/.capmetro/gtfs/`.
Some real-time protobuf commands may fail if the proto file is missing from the installed skill.
The code references a local `scripts/gtfs-realtime.proto` file, but the provided file manifest does not list that file. This looks like a packaging completeness issue rather than malicious behavior.
const protoPath = path.join(path.dirname(new URL(import.meta.url).pathname), 'gtfs-realtime.proto'); _protobufRoot = await protobuf.load(protoPath);
Verify the installed skill includes `scripts/gtfs-realtime.proto` before relying on protobuf-based alerts or trip updates.