TripGo API
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward TripGo API wrapper, but users should notice that it uses a TripGo API key and can save trips or register webhooks for trip updates.
Before installing, be comfortable sharing route, location, and trip-management requests with TripGo using your API key. Keep the default TripGo base URL unless you trust the alternative, use webhook allowlisting for callbacks, and only save trips or register hooks when you want trip data to persist or be sent to that callback.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide a TripGo API key, and requests made through the scripts will use that key.
The skill requires a TripGo API key and sends it as an authentication header, which is expected for this API integration but is still credential-bearing access.
`TRIPGO_API_KEY`: Your TripGo API key (header: `X-TripGo-Key`).
Use a dedicated TripGo API key with the minimum needed privileges or quota, and avoid sharing logs or command lines that might expose the key.
If the base URL is changed to an unintended server, the API key could be sent there.
Scripts send the TripGo API key to the configured base URL. This is normal for TripGo calls, but the configurable base URL means users should avoid pointing it at untrusted hosts.
TRIPGO_BASE_URL="${TRIPGO_BASE_URL:-https://api.tripgo.com/v1}" ... -H "X-TripGo-Key: ${TRIPGO_API_KEY}"Keep TRIPGO_BASE_URL at the official TripGo API URL unless intentionally testing against a trusted endpoint.
A webhook receiver may learn details needed to access or track a trip update flow.
Webhook registration can send trip identifiers and trip URLs to an external callback. This is purpose-aligned for real-time updates and the SKILL.md says allowlisting is supported, but it is still an external data boundary.
Registers a webhook callback to receive real-time updates when the trip changes ... Our platform will POST the tripID and tripURL to your registered URL when updates occur
Only register webhooks to trusted HTTPS domains and configure TRIPGO_WEBHOOK_ALLOWLIST for approved callback hosts.
Saved trips may remain accessible longer than a one-time route lookup and may include location or itinerary details.
The skill exposes an endpoint that can persist trip data beyond a temporary routing session. This is disclosed and aligned with trip management, but it affects retention of potentially sensitive travel information.
Saves a trip for later use, making it persistent beyond the typical user session.
Save trips only when the user asks for persistence, and treat saved trip URLs as sensitive.
Users have less context for verifying the maintainer or comparing the scripts against an upstream project.
The registry metadata does not provide a source repository or homepage, which limits independent provenance verification even though the provided artifacts are coherent and the static scan is clean.
Source: unknown; Homepage: none
Prefer installing from trusted publishers or compare the scripts and endpoints against the official TripGo API documentation before relying on them for sensitive workflows.