ClawHub

TTC CLI

Security checks across malware telemetry and agentic risk

Overview

This transit CLI is mostly purpose-aligned, but its installer can automatically modify and replace a Claude Code skill path in the user's home directory.

Review before installing. Be comfortable with npm install scripts that modify ~/.claude/skills, and check whether ~/.claude/skills/ttc already contains a custom skill before installation. For nearby stops, pass coordinates manually or deny macOS location permission if you do not want the tool to access your device location.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares only Bash and Read tools, but its documented behavior clearly depends on external network access to public TTC feeds and shell execution through the installed `ttc` binary. This is a real transparency and permission-model issue because users and policy engines may underestimate what the skill can do, especially when a globally installed binary can make outbound requests and perform local side effects outside the markdown’s explicit declarations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill presents itself as a transit-information tool, but the associated behavior includes modifying the user's `~/.claude/skills` directory, compiling/installing a macOS CoreLocation helper, and accessing device location. Those extra behaviors are not inherently malicious, but they are materially more sensitive than the stated purpose and expand the trust boundary to filesystem modification, native helper installation, and collection of precise location data.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script requests and retrieves the device's current location, then outputs exact latitude and longitude to stdout or an arbitrary file path supplied on the command line. Even though location is plausibly relevant to a TTC transit skill, collecting precise location in a helper script without any visible consent flow, minimization, or justification creates a privacy-sensitive data exposure path that could be abused by the surrounding agent or other components.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The post-install script performs behavior beyond simple CLI setup by automatically compiling and enabling a native location helper on macOS. Even if intended to support a 'nearby' transit feature, silently adding a native binary with location access during installation expands the trust boundary and grants capabilities that are privacy-sensitive and not obviously necessary for basic transit arrivals or stop search.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Using execSync in a post-install hook to invoke a compiler gives the package code-execution capability at install time, which is a high-trust phase users often do not inspect. Although the arguments are hardcoded and this is not a classic command-injection bug, compiling and introducing a native helper is an unnecessary escalation of install-time behavior for many users and increases supply-chain risk if the package is ever tampered with.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes automatic location detection for `ttc nearby` but does not clearly warn users that their precise physical location will be accessed and processed. In an AI-agent context, this is more sensitive because users may trigger commands conversationally without realizing the tool will request and use location data, increasing the chance of inadvertent privacy exposure.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation says `ttc nearby` auto-detects the user's location on macOS if no coordinates are provided, but it does not warn that this may access precise device location or trigger OS permission prompts. Even though the feature is relevant to nearby-stop lookup, the lack of a privacy warning can surprise users and lead to unintended disclosure of sensitive location information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
On successful location update, the script immediately writes exact coordinates out with no in-script notice, purpose limitation, or indication of how the data will be used. Silent collection and output of sensitive location data increases privacy risk because downstream components can store, transmit, or repurpose the coordinates without the user's awareness.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The `nearby` command automatically accesses device location when coordinates are not provided, with only a brief status message and no explicit consent prompt or privacy warning from the application itself. In a transit CLI this is relevant because precise location is sensitive data, and automatic collection can surprise users, especially if terminal history, logs, or shoulder-surfing expose the displayed coordinates.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal