Skillv0.1.7

ClawScan security

TTC CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 8, 2026, 7:44 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The package appears to be what it claims — a TTC CLI distributed as an npm package — but its install step will modify your home directory (creates a Claude skill symlink) and may compile a macOS helper; review the postinstall script before installing if you're concerned.
Guidance: This package is coherent with its description: it's an npm-distributed TTC CLI bundling static GTFS data and accessing TTC's public GTFS-RT feeds. Before installing, consider: (1) the package runs a postinstall script that will create ~/.claude/skills/ttc to register as a Claude Code skill — if you don't want automatic registration, either inspect/modify the package or create that symlink manually after installation; (2) on macOS the postinstall may compile a small Swift helper (requires Xcode Command Line Tools) to enable automatic location — you can skip installing those tools or skip the helper if you prefer; (3) npm postinstall scripts execute arbitrary code during install — only install packages from maintainers you trust or review scripts (scripts/postinstall.js) yourself; (4) the package bundles large static GTFS files locally (storage impact) and includes an update-gtfs script that can fetch fresh data when explicitly run. If you want minimal risk, install in a sandbox/VM or inspect the postinstall script and packaged files before running npm install.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (TTC CLI) match the code and bundled data: a Node CLI that exposes live TTC GTFS-RT and static GTFS data. The package installs a 'ttc' binary as declared. One minor inconsistency: registry metadata lists no required config paths, but the postinstall script writes a symlink into ~/.claude/skills, which is an effective modification of user agent config/home directory (this is consistent with the README but wasn't declared in the 'required config paths' field).
Instruction Scope: okSKILL.md instructs only to run the ttc binary and documents features (nearby, next, vehicles, alerts). There are no instructions to read unrelated files or exfiltrate secrets. The package includes an optional macOS location helper (CoreLocation) which is compiled during postinstall if swiftc/Xcode tools are present; that behavior is documented in README.
Install Mechanism: noteThe install uses an npm package (@lucasygu/ttc) which is expected for a JS CLI. The package contains a postinstall script that (a) creates a symlink in ~/.claude/skills to register itself as a Claude Code skill and (b) may compile a Swift helper on macOS (execSync of swiftc). Running npm install will execute that postinstall script on the host — typical for npm packages but worth noting because it runs code and writes files on install.
Credentials: okNo environment variables or credentials are required. The code does not request unrelated secrets. The only filesystem/location access is to the user's home directory (~/.claude/skills) and to compile/copy the macOS helper in the package directory, which is proportional to its claimed integration and macOS location feature.
Persistence & Privilege: notealways is false and the skill does not request elevated system privileges. However, postinstall will create a persistent symlink at ~/.claude/skills/ttc to register the skill with Claude Code (modifying user agent configuration). This is within the skill's stated goal (AI agent integration) but is a persistent change to the user's home directory that some users may prefer to perform manually.