ClawHub

Tabussen

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: tabussen Version: 1.0.0 The skill bundle is benign. It provides a public transport trip planner using the ResRobot API. The shell scripts (`journey.sh`, `search-location.sh`) securely handle API keys via environment variables and properly URL-encode user input (`jq -sRr @uri` in `search-location.sh`) before making `curl` requests, preventing command injection. The `SKILL.md` instructions for the AI agent are detailed and focused on correct tool usage and user interaction, showing no signs of prompt injection attempts to subvert the agent's behavior or exfiltrate data.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

You need to provide a ResRobot API key, and your stop IDs, coordinates, dates, and times may be associated with that key by the API provider.

Why it was flagged

The script requires a ResRobot/Trafiklab API key and includes it in requests to the ResRobot trip API. This is expected for the stated integration, but users should understand that their API key and trip-query parameters are sent to the provider.

Skill content
API_KEY="${RESROBOT_API_KEY:-YOUR_API_KEY_HERE}" ... PARAMS="format=json&accessId=${API_KEY}&passlist=1&numF=5"
Recommendation

Use a dedicated ResRobot API key, keep it out of shared logs or transcripts, and rotate it if it is exposed.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installation or first use may fail unless curl, jq, and a ResRobot API key are available, and there is no linked upstream homepage to verify provenance.

Why it was flagged

The registry metadata omits provenance and declares no binaries, env vars, or credentials, while the visible SKILL.md/scripts require curl, jq, and RESROBOT_API_KEY. This is an install/disclosure gap, not evidence of hidden behavior.

Skill content
Source: unknown; Homepage: none; Required binaries (all must exist): none; Required env vars: none; Primary credential: none
Recommendation

Review the included shell scripts before use, install curl and jq if needed, and configure RESROBOT_API_KEY explicitly.