tper-hellobus
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent and appears to only query TPER’s public bus-arrival API, with disclosed network and curl usage.
This skill looks safe for its stated purpose. Before installing, be aware that it requires network access to the TPER Hellobus domain and uses curl through a shell tool to make the request.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may send the bus stop code, line number, and optional time to the TPER API using curl.
The skill directs the agent to use a shell command for outbound HTTP requests. The command is narrow and purpose-aligned with bus-arrival lookups, but raw shell/curl access is still a capability users should recognize.
Use the `bash_tool` with `curl` to call the API (web_fetch has URL restrictions):
Allow network access only to the documented TPER domain and keep queries limited to stop, line, and time values; use a safer scoped web request tool if available.
The skill may fail or require an available curl-capable shell environment despite the metadata not listing required binaries.
The metadata does not declare a curl dependency even though the instructions use curl. This is under-declared setup information, but there is no hidden helper code, package install, or remote script.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
The publisher should declare the curl or network requirement in metadata; users should confirm their environment supports the documented command before relying on the skill.