tper-hellobus
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: tper-hellobus-skill Version: 0.0.2 The skill is classified as suspicious due to a potential shell injection vulnerability. The `SKILL.md` instructs the AI agent to use `bash_tool` with `curl` to construct API calls, interpolating user-provided inputs (`stop_code`, `line_number`, `time_hhmm`) directly into the command string. Without explicit instructions for robust input sanitization or URL/shell escaping, a malicious user could craft inputs to execute arbitrary commands on the agent's host system. While the stated purpose is benign (querying a bus API), the method of execution introduces a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may send the bus stop code, line number, and optional time to the TPER API using curl.
The skill directs the agent to use a shell command for outbound HTTP requests. The command is narrow and purpose-aligned with bus-arrival lookups, but raw shell/curl access is still a capability users should recognize.
Use the `bash_tool` with `curl` to call the API (web_fetch has URL restrictions):
Allow network access only to the documented TPER domain and keep queries limited to stop, line, and time values; use a safer scoped web request tool if available.
The skill may fail or require an available curl-capable shell environment despite the metadata not listing required binaries.
The metadata does not declare a curl dependency even though the instructions use curl. This is under-declared setup information, but there is no hidden helper code, package install, or remote script.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
The publisher should declare the curl or network requirement in metadata; users should confirm their environment supports the documented command before relying on the skill.