Simulated Roadtrip
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Turai road-trip API client, but users should notice that it sends route details and a Turai API key to an external service and can run timed updates.
This skill appears safe to use if you trust Turai with your route details and API key. Before installing or running it, confirm that you want any generated stops posted to chat or social channels, avoid sensitive exact addresses, and use the drip-feed option only when you are comfortable with timed updates continuing later.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Registry checks alone may not tell the user that Node and a Turai API key are needed, or help them verify the provider/source.
The registry metadata does not provide provenance details or declare the credential/runtime requirements that are documented in the skill and script.
Source: unknown; Homepage: none; Required env vars: none; Primary credential: none
Verify that you trust turai.org before creating or using an API key, and prefer metadata that declares TURAI_API_KEY and the Node runtime requirement.
The Turai API key grants access to the user's Turai account or quota and is transmitted to turai.org for each road-trip request.
The script uses a local Turai API key to authenticate requests to the documented provider API.
const apiKey = process.env.TURAI_API_KEY; ... "x-api-key": apiKey
Use a Turai key with appropriate scope or quota limits if available, keep it out of logs and shared shells, and revoke it if it is exposed.
If the user enters private addresses or sensitive travel plans, that location information will be shared with the provider.
The skill clearly documents that route locations and trip preferences are sent to the external Turai API.
Endpoint: POST https://turai.org/api/agent/roadtrip ... Body: { "from": "New York City", "to": "Los Angeles", "theme": "foodie", "stops": 5 }Avoid using exact private addresses unless you are comfortable sharing them with Turai, and check the provider's privacy policy for retention and use.
A started drip-feed run may continue producing messages over time, and those messages could become public if the agent posts them to a social channel.
Optional drip-feed mode waits between stops, allowing timed output over minutes, hours, or days when the user chooses --drip.
if (dripMs && i < stopsArray.length - 1) { ... await sleep(dripMs); }Use drip-feed only when intended, confirm the destination channel before public posting, and stop the running process to cancel future updates.