ClawHub
Back to skill
v1.0.2

Korea metropolitan bus alerts

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:56 AM.

Analysis

The skill mostly matches its bus-alert purpose, but it builds recurring agent prompts from unvalidated route/stop inputs, so generated cron jobs should be reviewed carefully before use.

GuidanceReview the generated cron job JSON before adding it. Use only simple expected city codes, node IDs, and route numbers; do not paste unusual strings into route or stop fields. Run setup.py only if you are comfortable letting it store the TAGO key, patch the user systemd Gateway override, and restart the Gateway. Confirm that delivery targets are private DMs and periodically list/remove cron rules you no longer need.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityMediumConfidenceMediumStatusConcern
scripts/cron_builder.py
routes_csv = ",".join(routes)
...
f"1) Run: python3 korea-metropolitan-bus-alerts/scripts/tago_bus_alert.py arrivals --city {city} --node {node} --routes {routes_csv}\n"

The recurring cron job's agentTurn message is assembled by inserting input values into an instruction the future agent will follow. Route, city, or node values are not shown here as strictly validated or encoded before becoming part of the scheduled prompt.

User impactA malformed or instruction-like route/identifier value could cause the scheduled agent turn to follow instructions beyond the intended bus-arrival lookup.
RecommendationValidate cityCode, nodeId, and route numbers with strict allowlists or regexes, reject newlines/control characters, and prefer structured tool arguments over natural-language command text in stored cron prompts.
Rogue Agents
SeverityLowConfidenceHighStatusNote
scripts/cron_builder.py
"sessionTarget": "isolated",
"payload": {
  "kind": "agentTurn",
  "message": build_prompt(args.city, args.node, routes),
  "deliver": True,
  "bestEffortDeliver": True
}

The skill creates persistent scheduled agent turns that automatically deliver messages. This is disclosed and central to the bus-alert purpose, but users should understand that rules keep running until removed.

User impactRegistered alerts will continue running on their schedule and sending Gateway messages until the cron job is deleted.
RecommendationReview generated job JSON before adding it, periodically list active cron jobs, and remove rules that are no longer needed.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
scripts/setup.py
patch_override(unit, env_file)
restart_gateway(unit)
...
run(["systemctl", "--user", "restart", unit], check=True)

The setup flow modifies the user's systemd Gateway override and restarts the Gateway. This is disclosed in SKILL.md and purpose-aligned for cron access to the TAGO key, but it is still a local service-configuration change.

User impactRunning setup can change how the user's Gateway service starts and can briefly interrupt it during restart.
RecommendationRun setup only when comfortable changing the user-level Gateway service, inspect the generated override if needed, and keep a rollback path for the systemd override.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/setup.py
key = getpass.getpass("TAGO_SERVICE_KEY (input hidden): ").strip()
...
write_env_file(env_file, key)
...
os.chmod(path, 0o600)

The skill collects and stores a TAGO API key locally with restrictive file permissions. This credential use is disclosed and expected for TAGO API access, and the artifacts do not show hardcoding or printing the key.

User impactThe skill can use the user's data.go.kr TAGO key for bus-stop and arrival API requests.
RecommendationUse an API key intended for TAGO access, do not paste it into chats or markdown, and keep the saved env file private.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/rule_wizard.py
channel = input("Deliver channel (e.g. telegram): ").strip() or "telegram"
to = input("Deliver to (DM chat id / user id target): ").strip()
...
"channel": channel,
"to": to

Gateway delivery is routed using user-entered channel and recipient values. The skill says delivery should be DM-only, but this code relies on the provided target being a DM target.

User impactIf the wrong target is entered, bus-alert messages could be sent somewhere other than the intended private DM.
RecommendationVerify that the channel and recipient ID are for the registering user's private DM before registering the cron job.