ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

iBus.CL CLI (API Transporte RED Chile)

v1.0.0

Comando CLI para consultar en tiempo real la llegada de buses a paraderos del transporte público de Chile con salida legible o JSON.

0· 14·0 current·0 all-time
byiroaK@iiroak
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (CLI to query Chilean bus stops) matches the instructions: install a Python CLI from the referenced GitHub repo and run the provided commands. No unrelated env vars, binaries, or config paths are requested.
Instruction Scope
SKILL.md only describes installing the CLI and using it (python -m ibus or an installed 'ibus' command) and documents output formats. It does instruct the user to run a remote install script (curl | bash) which is outside the agent's codebase — this is common for CLI installs but grants the remote script full control during installation, so inspect it before executing.
Install Mechanism
There is no platform install spec in the registry; the README suggests running an install.sh fetched from raw.githubusercontent.com or pip installing from the repo. raw.githubusercontent.com is a well-known host (GitHub), but 'curl | bash' executes remote code and is higher-risk; prefer cloning and reviewing the repo or using pip in a virtualenv.
Credentials
The skill declares no environment variables, no credentials, and requires only Python 3.9+. There is no apparent request for unrelated secrets or system-wide tokens.
Persistence & Privilege
The skill is instruction-only, has no 'always' privilege, and does not request persistent or elevated platform privileges in its metadata.
Assessment
This skill appears to be what it says: a Python CLI for Chilean bus stop queries. The SKILL.md advises running a remote install script (curl https://raw.githubusercontent.com/... | bash). That pattern is convenient but risky because it executes whatever is on the remote URL. Before running it, do one of the following: (1) open the GitHub repo and manually inspect install.sh and setup instructions to ensure it doesn't perform unexpected actions, (2) clone the repo locally and run pip install . inside a Python virtualenv, or (3) prefer python -m ibus usage without installing globally. Also check the GitHub owner, recent commits, issues and the project's README/license. Do not run the install script as root and avoid running it on sensitive systems without review.

Like a lobster shell, security has layers — review code before you run it.

latestvk970xqrj0ayb18rrqmad4nh45184qw50

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments