ClawHub
Back to skill
v1.0.3

Capmetro Skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:46 AM.

Analysis

The skill appears to be a straightforward Austin transit helper, with ordinary npm dependency installation and a local transit-data cache to be aware of.

GuidanceBefore installing, expect to run npm install and to download/extract CapMetro schedule data into ~/.capmetro/gtfs. The artifacts do not show credential use or data exfiltration, but run it as a normal user and only refresh the GTFS cache from the documented public source.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
package-lock.json
"node_modules/protobufjs": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/protobufjs/...", "hasInstallScript": true }

The skill depends on a third-party npm package for protobuf parsing, and the lockfile shows that dependency has an install script. This is consistent with the transit-feed purpose but is still package supply-chain activity.

User impactInstalling dependencies may run normal npm package installation logic from the npm ecosystem.
RecommendationInstall from the published package/lockfile, avoid running installation as an administrator, and update dependencies through trusted channels.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
scripts/capmetro.mjs
execFileSync('unzip', ['-o', tmpZip, '-d', GTFS_DIR], { stdio: 'pipe' });

The refresh command invokes the system unzip binary to extract a downloaded GTFS archive into the local cache. This is purpose-aligned and user-directed, but it is local command execution plus file writes.

User impactRunning the GTFS refresh will download and overwrite cached transit data files under the user's home directory.
RecommendationRun refresh only when needed, do not run the skill with elevated privileges, and keep the cache location limited to ~/.capmetro/gtfs.