Brouter
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does what it advertises, but it can write files outside its routes folder and stores or sends route-location data in ways that are not tightly bounded.
Review this skill before installing. It appears intended to generate GPX bike routes, but you should be comfortable sharing route endpoints with brouter.de and leaving route details in local logs. Avoid using custom output paths unless the skill is updated to confine writes to its routes folder.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or prompt passes a custom path, the skill could overwrite or create files outside the expected route-output directory.
The function accepts caller-controlled outputDir and fileName, resolves them directly, creates parent directories, and writes the GPX response with no check that the path stays inside the intended routes folder.
const { ... outputDir = path.resolve(process.cwd(), 'routes'), fileName } = options; ... const outputPath = path.resolve(outputDir, finalFileName); ... await fs.promises.writeFile(outputPath, gpxText, 'utf8');Restrict writes to a fixed routes directory, reject absolute paths and '..' traversal, sanitize filenames, and require explicit user confirmation for any custom save location.
A user's route history, locations, and potentially human-readable labels may remain in local logs beyond the generated GPX file.
The skill persistently records full invocation options, route coordinates, request URLs, and result metadata to a local log file and also prints options to stdout.
const LOG_PATH = path.resolve(__dirname, 'brouter.log'); ... console.log('[brouter] run() invoked with options:', options); ... logEvent({ type: 'brouter.run.success', options: { ...options }, request: { url: requestUrl, lonlats, profile }, ... });Redact or remove route details from logs, document any logging clearly, and provide retention or cleanup guidance.
Network observers may be able to see the user's route endpoints, and the provider receives location data as part of normal operation.
The skill sends precise start and end coordinates in a URL query string to an external provider over plain HTTP.
const baseUrl = 'http://brouter.de/brouter'; params.set('lonlats', lonlats); ... response = await fetch(requestUrl);Use HTTPS if supported, disclose the external data flow clearly, and warn users before routing sensitive locations.
Future installs may resolve to different package versions than the reviewer saw.
The skill relies on external npm packages with semver ranges, and the provided file manifest does not include a lockfile pinning exact resolved versions.
"dependencies": { "node-fetch": "^2", "gpx-parse": "^0.10.1" }Pin dependency versions and include a lockfile or provenance information for reproducible installation.