ClawHub
Back to skill
v1.0.1

Stockholm Public Traffic Planner

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:06 AM.

Analysis

This skill appears coherent and benign: it queries public Stockholm transit APIs, but users should know it can save favorite stops/routes and use them for autonomous monitoring notifications.

GuidanceBefore installing, note that the skill will call SL public APIs with your stop/route queries and may save favorite stops and routes in `.sl/preferences.json` for autonomous monitoring. It looks purpose-aligned and low risk, but review saved preferences if commute privacy matters to you.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
references/api.md
All API calls use: `https://transport.integration.sl.se/v1` ... curl -s "https://transport.integration.sl.se/v1/sites/${SITE_ID}/departures"

The skill uses curl and jq to query external transit API endpoints. This is disclosed and central to the stated purpose.

User impactStop names, stop IDs, line IDs, and similar query details may be sent to the SL integration API when the skill is used.
RecommendationUse the skill for its intended transit lookups and avoid adding unnecessary personal details to search terms or saved route names.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
During autonomous execution (e.g., background heartbeat or cron job) ... Only send a notification if a new, relevant disruption is detected ... Adhere to Trafiklab's limit of maximum 1 request per minute.

The artifacts explicitly describe autonomous/background monitoring behavior. It is scoped to saved transit favourites and rate-limited, but users should be aware of the ongoing activity.

User impactIf configured for background use, the skill may periodically check saved routes and produce disruption notifications.
RecommendationEnable autonomous monitoring only for routes you want watched, and verify the saved preferences and notification behavior match your expectations.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
Preferences for **autonomous monitoring** are maintained in your workspace at `.sl/preferences.json` ... Compare returned deviation IDs against context memory.

The skill stores travel-monitoring preferences and reuses memory of deviation IDs across checks. This is purpose-aligned, but it is persistent user context.

User impactSaved stops and routes may reveal commuting patterns, and stale or incorrect stored state could affect which disruption notifications are shown.
RecommendationReview or delete `.sl/preferences.json` when you no longer want monitoring, and keep only the stops/routes you actually want stored.