tfl-cli
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a normal London transport lookup CLI, with the main considerations being trust in the external npm package and care with optional API keys or location queries.
This skill looks coherent and purpose-aligned for TfL travel queries. Before installing, make sure you trust the npm package @shan8851/tfl-cli, and be mindful that route planning can involve location details and an optional TfL API key.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill means installing and running a third-party npm CLI package.
The skill depends on an external npm package to provide the CLI binary. This is purpose-aligned for a CLI skill, but users must trust the package source.
node | package: @shan8851/tfl-cli | creates binaries: tfl
Install only if you trust the package and publisher; consider reviewing the npm package page and version before use.
If you set a TfL API key, the CLI may use it for requests to the transport service.
The skill may use a TfL API key if the user provides one. This is expected for a transport API integration and no credential leakage or unrelated use is shown.
Optional: set `TFL_APP_KEY` for higher rate limits (basic usage works without any key)
Use a limited TfL key if possible and avoid sharing command output or logs that might reveal credentials.
Route or arrival queries may reveal places you are interested in traveling from or to.
The skill is designed to process transport and location-style queries. This is aligned with the purpose, but postcodes and coordinates can be sensitive user data.
Accepts station names, postcodes (`SE1 9SG`), coordinates (`51.50,-0.12`), and TfL stop IDs
Avoid entering private home, work, or travel locations if you do not want them handled by the CLI or upstream transport service.