Trimet
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a benign TriMet transit helper, with ordinary notes about installing an npm CLI, using a TriMet API key, and sending trip locations to TriMet.
This skill appears purpose-aligned for Portland transit lookups. Before using it, install the npm CLI only from a trusted source, keep TRIMET_APP_ID private, and avoid entering exact private addresses unless needed for trip planning.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package gives third-party npm code a place on the user's system, although the skill does not show hidden or automatic installation behavior.
The skill relies on a globally installed npm package that is not pinned in the provided artifacts. This is expected for the stated CLI-based purpose, but it is still a supply-chain item the user should trust before installing.
npm install -g trimet-cli
Install the CLI only from a trusted npm source and review the package identity/version if this is a sensitive environment.
The key may identify the user's TriMet developer access or consume API quota if used by the CLI.
The skill requires a TriMet API key. That is purpose-aligned for accessing TriMet data and there is no artifact evidence of credential leakage or unrelated use.
Get free API key from https://developer.trimet.org/ ... export TRIMET_APP_ID="your-key"
Store TRIMET_APP_ID only in trusted shell environments and rotate the key if it is accidentally exposed.
Specific origins, destinations, or travel times may be sent to TriMet when planning trips.
Trip planning can include user-provided locations or addresses, and the setup uses TriMet's developer API. This external data flow is expected for transit planning but may include location-sensitive information.
trimet trip -f "Pioneer Square" -t "PDX Airport" ... Addresses work for trip planning
Use stop IDs or approximate locations when possible if exact addresses are sensitive.