Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- scripts/tfl.mjs:36
Security audit
Security checks across malware telemetry and agentic risk
This skill appears to only fetch London transit information from the official TfL API, with no hidden execution, persistence, or unrelated data access found.
Reasonable to install if you want London TfL lookups. Be aware that journey searches, station names, coordinates, and the optional TFL_API_KEY may be sent to TfL; avoid putting unrelated secrets in the skill-local .env file.
66/66 vendors flagged this skill as clean.
Detected: suspicious.env_credential_access