ClawHub

Seoul Subway

v0.1.19

Seoul Subway assistant for real-time arrivals, route planning, and service alerts (Korean/English)

2· 4.3k·0 current·0 all-time
by@dukbong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (real-time arrivals, routes, alerts) align with the instructions: the skill issues web requests to a proxy to fetch transit data. It does not request unrelated credentials or binaries.
Instruction Scope
SKILL.md instructs the agent to call a single external proxy (vercel-proxy-henna-eight.vercel.app) via WebFetch and provides curl examples. The doc explicitly states only station names and search parameters are sent, but that is a trust assertion about the proxy; the instructions do not include a technical guarantee (e.g., signed request schema) and do not explicitly forbid the agent from including additional context in requests. Network calls to an external service are within the skill's purpose but rely on trusting the proxy's behavior.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself, which minimizes install risk.
Credentials
The skill requests no environment variables, credentials, or config paths. The only data exposure is network-level: the proxy will see request payloads (station/search parameters) and standard HTTP headers (including client IP/User-Agent).
Persistence & Privilege
The skill is not always-enabled and does not request special agent privileges. However, the SKILL.md recommends granting persistent permission to the proxy domain ('Yes, and don't ask again'), which would allow repeated network access to that external host without further prompts — this increases persistence and blast radius if the proxy's behavior is untrusted.
Assessment
This skill appears to do what it says: it fetches Seoul subway data via an external proxy and asks for permission to call that domain. Before installing or enabling persistent access: 1) Verify the proxy (review the linked GitHub repo/source code) to confirm it only forwards station names and parameters; 2) Avoid selecting 'Yes, and don't ask again' unless you trust the proxy operator; 3) Prefer using an official API or run your own proxy if you need stronger privacy guarantees; 4) Be aware the proxy will see your IP and User-Agent even if it does not log conversation text. If you need certainty about what is transmitted, ask the skill author for a request schema or self-hosting instructions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eggydabd1hkd12k36jkp7b180z8ck

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments