ClawHub

SkedGo TripGo API

v1.0.3

Comprehensive interface for the SkedGo TripGo API, covering routing, public transport, trips, and location services. Use for multimodal journey planning, pub...

0· 319·0 current·0 all-time
byGuanyu Zhang@guanyu-zhang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with required artifacts: scripts implement TripGo endpoints and only require curl/jq and a TripGo API key (TRIPGO_API_KEY). Optional env vars (TRIPGO_BASE_URL, webhook allowlist, etc.) are directly relevant to API usage.
Instruction Scope
SKILL.md and the scripts remain within the declared scope (calling TripGo endpoints, validating JSON, URL-encoding inputs). A security-conscious webhook registration script enforces https and an allowlist by default. Note: many scripts print request bodies/URLs to stdout (for debugging) and accept arbitrary JSON for headers or webhook URLs — those outputs or supplied header JSON could contain sensitive data if you run the scripts with real secrets or untrusted webhook targets.
Install Mechanism
No install spec is provided (instruction-only install), so nothing is downloaded or extracted. The runtime relies on standard binaries (curl, jq, optional python3) which is low-risk.
Credentials
Only the TripGo API key is required (TRIPGO_API_KEY). Optional variables (TRIPGO_BASE_URL, TRIPGO_WEBHOOK_ALLOWLIST, TRIPGO_ALLOW_UNSAFE_WEBHOOK) are justified by the skill's webhook and base-URL configuration. Minor aliasing (TRIPGO_KEY in some scripts) is present but not a security concern.
Persistence & Privilege
The skill does not request persistent platform privileges (always is false). It does not attempt to modify other skills or system-wide settings; it runs as a set of scripts executed by the agent/user.
Assessment
This skill appears to do exactly what it claims: provide shell scripts to call TripGo endpoints. Before installing or running it: (1) only provide a TripGo API key (TRIPGO_API_KEY) — do not reuse high-privilege or unrelated credentials; (2) review any webhook URLs you register and set TRIPGO_WEBHOOK_ALLOWLIST to trusted domains (the scripts enforce https and an allowlist by default); (3) be aware many scripts print request bodies or URLs to stdout — avoid running them where logs are public if the inputs include sensitive info; (4) ensure curl and jq are available; (5) inspect and test scripts in a safe environment (no secrets) if you want to verify behavior. Overall the package is internally consistent and proportionate to its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk976chxy687jexxnrcxa8pem75820qpv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq
EnvTRIPGO_API_KEY
Primary envTRIPGO_API_KEY

Comments