London public transport journey planner and disruptions
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: transport-for-london-journey-disruption Version: 1.0.1 The OpenClaw skill bundle for TfL journey planning and disruption checks is benign. The `SKILL.md` provides clear instructions for the AI agent to interact with the TfL API, and the `scripts/tfl_journey_disruptions.py` script implements this functionality by making HTTP GET requests to `https://api.tfl.gov.uk`. It reads `TFL_APP_ID` and `TFL_APP_KEY` from environment variables for authentication, which is a standard practice for API clients. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, prompt injection attempts against the agent, or obfuscation. All actions are directly aligned with the stated purpose of the skill.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your travel query, including locations and time, is shared with TfL to produce the journey plan.
The skill sends the user's origin, destination, date, and time to TfL's external API as part of its core journey-planning function.
Call: `/Journey/JourneyResults/{from}/to/{to}?date=YYYYMMDD&time=HHMM&timeIs=Depart|Arrive`Use it only for journey details you are comfortable sending to TfL, and avoid overly precise personal locations if that matters to you.
If you configure TfL API credentials, they will be used for requests to TfL.
The helper can read optional TfL API credentials from the environment and include them in TfL request parameters.
app_id = os.environ.get("TFL_APP_ID")
app_key = os.environ.get("TFL_APP_KEY")
params["app_key"] = app_keyOnly set TfL API credentials you intend this skill to use, and treat those environment variables as sensitive.