ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Simulated Roadtrip

v1.0.1

Generate a narrated road trip with GPS-verified stops and themed descriptions using real Google Maps data, posted in timed updates or chat.

0· 365·1 current·1 all-time
by@jpaulgrayson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description promises 'GPS-verified stops' and 'real Google Maps data', but the code calls only https://turai.org/api/agent/roadtrip and does not directly use Google Maps APIs. That could be legitimate if Turai provides Google-sourced data, but the skill metadata in the registry also claims 'Required env vars: none' while both SKILL.md and the script require TURAI_API_KEY — a clear metadata/code mismatch.
Instruction Scope
SKILL.md and the script are narrowly scoped: they send a POST to the Turai endpoint, format the returned stops, optionally save JSON and print/drip them to stdout. The SKILL.md mentions posting updates to chat/Moltbook/messaging channels, but the script itself does not integrate with any messaging API — posting must be performed by the agent or other glue code outside the script.
Install Mechanism
No install spec and only a small Node script are provided; nothing in the package downloads or executes remote artifacts. This is low-risk from an install perspective.
!
Credentials
Runtime requires a TURAI_API_KEY (used as x-api-key to turai.org) which is proportional to the described functionality. However, the registry metadata wrongly lists no required env vars/primary credential — that inconsistency is problematic because users may not realize they must provide an API key before running.
Persistence & Privilege
The skill does not request persistent placement (always:false) and does not modify other skills or system-wide settings. It only optionally writes an output JSON file path provided by the user.
What to consider before installing
Before installing or running: (1) Be aware you must supply a TURAI_API_KEY (SKILL.md and script require it, but the registry metadata does not list it). (2) Confirm what Turai.org actually returns and whether it uses Google Maps data if that matters to you — the script only calls Turai, not Google directly. (3) The script only prints and can save JSON; it does not automatically post to chat/social platforms — if you expect automatic posting, review or add the integration code yourself. (4) Because the source and homepage are not provided, consider running the script in a sandbox or with a limited/revocable API key first, inspect network traffic, and read the code (it's short) to verify behavior. (5) If you need stronger assurance, ask the publisher for provenance (homepage, source repo, and explanation of data sources).

Like a lobster shell, security has layers — review code before you run it.

latestvk97eqm2agsm5yzxe0agnpr5xdx81wqsx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments