Korea metropolitan bus alerts
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate bus-alert skill, but it stores a TAGO API key and creates persistent Clawdbot cron jobs, so users should verify setup and delivery targets.
Install or run this only if you use Clawdbot Gateway/cron and need TAGO bus alerts. Review the generated cron job before adding it, confirm the DM target is yours, protect the TAGO key file, and remove alerts you no longer need.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken job ID could remove an unintended scheduled job.
The helper can remove Clawdbot cron jobs by ID after confirmation, which is purpose-aligned for deleting alerts but changes scheduler state.
out = _run([exe, "cron", "remove", job_id])
Review cron job IDs carefully, keep the confirmation step, and prefer listing/filtering bus-alert jobs before removal.
The Gateway service will be able to use the TAGO key, and anyone who can read the env file could use that key.
The setup flow stores the TAGO API key locally with restrictive permissions so Gateway cron jobs can use it.
lines.append(f"TAGO_SERVICE_KEY={key}\n") ... os.chmod(path, 0o600)Use a dedicated TAGO key if possible, keep the file private, do not share config output containing env values, and rotate the key if it may have leaked.
Your commute pattern and messaging target may remain in Clawdbot cron configuration until the job is removed.
The persisted cron job stores the schedule, stop identifiers, route list, and delivery target for future agent runs.
"schedule": {"kind": "cron", "cron": spec.to_cron(), "tz": spec.tz}, ... "message": build_prompt(city, node, routes), ... "channel": channel, "to": toTreat cron job exports/configuration as private and delete alerts you no longer use.
If the wrong target is entered, bus alerts could be sent to an unintended DM or channel.
Although the documentation says DM-only, the helper accepts a user-entered delivery channel and target and does not itself verify that the target is the registering user's DM.
channel = input("Deliver channel (e.g. telegram): ").strip() or "telegram"
to = input("Deliver to (DM chat id / user id target): ").strip()Verify the Gateway channel and DM/user ID before registering a job, and avoid group or channel IDs unless you explicitly intend that.
The agent will continue running the alert on the configured schedule until the cron job is removed.
The skill creates persistent scheduled agent turns that run later and deliver messages, which is expected for bus alerts.
"sessionTarget": "isolated",
"payload": {
"kind": "agentTurn",
"message": build_prompt(args.city, args.node, routes),
"deliver": TrueReview the generated cron JSON before adding it and periodically list/remove old alerts.