ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TomTom Traffic Intelligence

v1.0.0

Provides real-time traffic data, route calculation, and departure planning using TomTom Traffic API for commute and meeting alerts.

0· 95·0 current·0 all-time
by@jkimnw-code
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description claim TomTom Traffic API usage and the code/SKILL.md clearly use TomTom API — that is coherent. However, the published registry metadata lists no required environment variables or primary credential while both SKILL.md and traffic-check.js require TOMTOM_API_KEY. This metadata omission is an incoherence and reduces trust (someone installing from the registry would not be warned they must supply an API key).
Instruction Scope
The runtime instructions and code stay within the stated purpose: calling TomTom endpoints, formatting route/alert data, and printing or returning results. The SKILL.md and code only reference TomTom endpoints and the local CONFIG; they do not read unrelated system files or send data to third-party endpoints beyond TomTom. Minor caveat: SKILL.md states 'No sensitive location data logged' but the CLI prints route/origin/destination info to stdout — acceptable for typical use but may expose location to anyone with access to console logs.
Install Mechanism
There is no install spec (instruction-only + a single JS file). No external downloads or package installs are performed by the skill. One operational note: the code uses fetch in Node — depending on the runtime Node version that may require Node 18+ or an explicit fetch polyfill; this is an operational compatibility issue, not a security risk.
!
Credentials
The TOMTOM_API_KEY requested by the SKILL.md and enforced by the code is proportional to the skill's function (calling TomTom API). However, the skill registry metadata declares 'Required env vars: none' and 'Primary credential: none' which is incorrect and misleading. No unrelated secrets are requested by the code.
Persistence & Privilege
The skill does not request persistent/always-on inclusion, does not declare system config paths, and does not modify other skills' configs. It runs as a normal user-space script and exports a module for integration; privileges requested are appropriate for the stated function.
What to consider before installing
This skill generally does what it says (calls TomTom Traffic API and computes departure times), but the registry metadata is missing a critical requirement: you must set TOMTOM_API_KEY in your environment. Before installing or running it: 1) Ensure you trust the source — owner/homepage are unknown; 2) Provide a TomTom API key (store it in an environment variable, do not hard-code it into repo); 3) Verify your Node runtime supports fetch (Node 18+ or add a polyfill); 4) Be aware the script prints route and location info to stdout — don't run it where console logs are exposed to untrusted parties; 5) Ask the maintainer to update registry metadata to declare TOMTOM_API_KEY as a required credential and, ideally, provide a homepage or repo so you can review changes and history. If those metadata and provenance issues are resolved, the skill appears coherent with its purpose.
traffic-check.js:19
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk975s03m5zzz6d4xpc5ad504vd83910a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments