Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
hkroute
v1.0.3Smart public transport routing for Hong Kong with real-time bus ETAs. Queries Google Maps for transit alternatives, enriches bus legs with live arrival times...
⭐ 0· 98·0 current·0 all-time
by@7ito
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match behavior: the skill calls Google Directions (requires GOOGLE_MAPS_API_KEY) and the hk-bus-eta library to fetch public HK ETA data. Required binaries (node) and the single required env var are proportionate to the described functionality. The included bundle/script implements the declared features.
Instruction Scope
SKILL.md instructs running the bundled Node script and documents the network endpoints used (maps.googleapis.com and public HK ETA APIs). The runtime instructions and code only read/write a local cache (~/.cache/hk-route/etaDb.json), use the declared env var, and make network calls to the declared services. There are no instructions to read unrelated files or exfiltrate data to unknown endpoints.
Install Mechanism
No install spec (instruction-only) but a self-contained bundled script is provided (scripts/hk-route.cjs) that appears to embed its Node deps. There is no download-from-untrusted-URL behavior or extract-on-install step in the package metadata. This is low-to-moderate risk and consistent with the SKILL.md claim that no npm install is required.
Credentials
Only GOOGLE_MAPS_API_KEY is required and declared as the primary credential; this directly supports Google Directions usage. No other secrets or unrelated environment variables are requested. The code writes a cache file in the user's home directory, which is reasonable for this use case but worth noting (it does not access other credentials).
Persistence & Privilege
always is false and the skill does not request permanent platform-level privileges. It creates and updates a local cache (~/.cache/hk-route/etaDb.json) under the user's home directory, which is appropriate for caching ETA DBs. It does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says: it needs a Google Maps API key and Node to run the provided bundled script, and it fetches public HK ETA data and caches it at ~/.cache/hk-route/etaDb.json. Before installing/providing your API key: (1) confirm the Google API key has only the permissions you intend (Directions API) and limit quotas where possible; (2) verify the bundle/source checksum or review the upstream repository (SKILL.md points to github.com/7ito/hkroute) to ensure the published bundle matches the upstream code; (3) be aware the skill will create/overwrite a cache file in your home directory; (4) if you will run this in a shared or production environment, consider running it with a key that has restricted usage and billing limits. Overall the package is internally consistent; if you need higher assurance, inspect the provided scripts/hk-route.cjs bundle locally before execution.scripts/hk-route.cjs:10362
Environment variable access combined with network send.
scripts/hk-route.cjs:31872
File read combined with network send (possible exfiltration).
src/eta.ts:3
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97dsfh3kcygeej9qp1n3w5xfx83pkra
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode
EnvGOOGLE_MAPS_API_KEY
Primary envGOOGLE_MAPS_API_KEY