ClawHub

Cta Skill

v1.0.0

Chicago CTA transit — real-time L train arrivals, bus predictions, service alerts, and route info. Use when the user asks about Chicago public transit, L tra...

0· 442·2 current·2 all-time
byBrian Leach@brianleach
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (CTA transit data) matches requested env vars (CTA_TRAIN_API_KEY, CTA_BUS_API_KEY), required binaries (node, unzip), and the code which calls CTA Train/Bus/Alerts APIs and GTFS static feed.
Instruction Scope
SKILL.md and scripts instruct the agent to run the included Node CLI and a one-time refresh-gtfs that downloads and extracts the GTFS ZIP into ~/.cta/gtfs/. The runtime also reads a .env file from the skill directory (not arbitrary system-wide files). This is expected for offline schedule caching but is out-of-process file I/O the user should be aware of.
Install Mechanism
No remote arbitrary downloads or obscure install URLs. The install step is 'npm install --prefix $SKILL_DIR' and package.json has no dependencies. No extract-from-untrusted-URL installs are present in the skill itself (only the GTFS ZIP is fetched from CTA's official site during refresh-gtfs).
Credentials
Only two service-specific API keys are requested (CTA_TRAIN_API_KEY and CTA_BUS_API_KEY) and they are necessary for train/bus endpoints per the README. No unrelated secrets or broad credentials are requested.
Persistence & Privilege
always:false (normal). The skill writes cached GTFS files to the user's home directory (~/.cta/gtfs/) and reads them on demand. This is reasonable for a transit tool but does create persistent local files the user may want to control or clean up.
Assessment
This skill appears to do exactly what it says: query CTA Train/Bus/Alerts APIs and cache GTFS data locally. Before installing, ensure you: (1) only supply CTA API keys obtained from the official CTA developer pages; (2) have Node.js 18+ and unzip available; (3) are comfortable with the skill downloading/extracting GTFS into ~/.cta/gtfs/ (you can remove that folder later); (4) review the included scripts if you want to confirm no unexpected network endpoints or behavior. Running the skill in a restricted environment (or inspecting its output during first runs) is a reasonable precaution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f6v9gxypbkyfdbhzdapgxwh81j9an

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments