Youbike Mcp
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: youbike-mcp Version: 1.0.2 The skill bundle provides a functional YouBike station search tool for Taiwan, but it contains significant supply chain anomalies. The package.json and package-lock.json files reference non-existent or future versions of several dependencies (e.g., axios 1.13.6, zod 4.3.6, and express 5.2.1), and the _meta.json file includes a publication timestamp from the year 2026. While the core logic in src/index.js appears benign and correctly implements the stated features using legitimate public API endpoints, these versioning irregularities are strong indicators of an untrusted or synthetic origin that could be used for dependency confusion.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may have less ability to confirm who maintains the skill or compare it against an official repository.
The skill's provenance is limited because no upstream source or homepage is provided. This does not contradict the implementation, but users have less context for independently verifying the package.
Source: unknown Homepage: none
Review the included files and package metadata before installing, especially if using it in a sensitive environment.
Running npm install may execute the husky lifecycle command in addition to installing dependencies.
The documented npm setup can trigger npm lifecycle script execution, including the prepare script. The script is a common development hook tool and no malicious hook content is shown, but it is still code execution during local setup.
"scripts": {
"start": "node src/index.js",
"test": "node tests/test-integration.js",
"prepare": "husky"
}If you do not need development hooks, inspect scripts first or consider installing with npm script execution disabled in a controlled environment.