ClawHub
Back to skill
v1.0.0

Cta Skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:56 AM.

Analysis

This is a coherent CTA transit helper that uses official CTA APIs, optional CTA API keys, and a local public transit-data cache; the main thing to notice is that some prerequisites are under-surfaced in registry metadata.

GuidanceThis skill appears safe for its stated CTA transit purpose. Before installing, be comfortable providing CTA-specific API keys for train/bus lookups, keep the skill’s .env file limited to those keys, and know that the refresh command stores public schedule data under ~/.cta/gtfs.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
requires:\n      bins: ["node", "unzip"]\n      env: ["CTA_TRAIN_API_KEY", "CTA_BUS_API_KEY"]\n    install:\n      - ... command: "npm install --prefix $SKILL_DIR"

SKILL.md discloses runtime binaries, API-key environment variables, and an npm setup step that are not surfaced in the registry metadata.

User impactInstallation or first use may require manual setup that the registry summary does not fully show.
RecommendationBefore installing, confirm Node.js and unzip are available, configure CTA keys only if you need train/bus features, and review the no-dependency package.json if running npm install.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
On first use, run `node scripts/cta.mjs refresh-gtfs` to download and extract the static GTFS data ... to `~/.cta/gtfs/`.

The skill includes a user-directed command that downloads and extracts public CTA schedule data locally; this is aligned with route/stop lookup functionality.

User impactRunning the refresh command will create or update local CTA schedule files in your home directory.
RecommendationRun refresh-gtfs only when you want the local schedule cache updated, and expect files to be written under ~/.cta/gtfs.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/cta.mjs
Environment variables: CTA_TRAIN_API_KEY, CTA_BUS_API_KEY ... External endpoints: https://lapi.transitchicago.com ... https://www.ctabustracker.com

The skill uses CTA-specific API keys and sends requests to CTA-operated endpoints, which is expected for real-time train and bus data but still involves delegated API access.

User impactYour CTA API keys will be used by the skill to request train and bus information from CTA services.
RecommendationUse only CTA-issued keys for this skill, avoid placing unrelated secrets in its .env file, and rotate the keys if you no longer use the skill.