Coin Collection Truck 香港收銀車
v0.1.0Agent skill to search for the Hong Kong Coin Cart (收銀車) locations and schedules. Use this skill when a user asks about the location, schedule, or availabilit...
⭐ 0· 83·0 current·0 all-time
by@sodiasm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description, README, SKILL.md, bundled JSON, and Python script align: the skill provides queries over a local schedule database. Minor incoherences: SKILL.md instructs running the script at an absolute path (/home/ubuntu/skills/coin-collection-truck/...) whereas the repository layout shows a relative scripts/ path; SKILL.md and README reference an assets/logo file that is not present in the provided file manifest. These are implementation/packaging issues rather than indicators of malicious behavior.
Instruction Scope
Runtime instructions direct the agent to run the included Python script (via the shell tool) and to present results. The script reads only the provided local JSON reference file and formats output (including Google Maps links). It does not attempt to read other system files, environment variables, or contact external endpoints (beyond producing hyperlinks). The only scope oddity is the hardcoded absolute path and a suggestion to attach an assets file at /home/ubuntu/..., which could cause a failing lookup or require the agent to access that path if present; the asset file is not provided.
Install Mechanism
No install specification or external downloads are present (instruction-only skill with bundled files). This is the lower-risk case: nothing is written to disk by an installer and no third-party packages are fetched.
Credentials
The skill does not request any environment variables, credentials, or configuration paths. The Python script operates on a local JSON file included in the bundle; no secrets or unrelated credentials are required.
Persistence & Privilege
The skill is not marked always:true and does not request or modify other skills or global agent settings. It has no elevated persistence or privileged behavior.
Scan Findings in Context
[none_detected] expected: Static regex pre-scan returned no findings. This matches expectations: code is straightforward parsing/formatting of a local JSON schedule and no suspicious patterns were detected.
Assessment
This skill appears to do what it says: it queries a bundled JSON schedule with a local Python script and returns human-friendly results. Before installing, consider: 1) The SKILL.md uses an absolute path (/home/ubuntu/...) and references an assets/logo file that is not in the package — verify and adjust paths after installation so the agent can run the script correctly. 2) Review the bundled JSON if you want to confirm data origin and freshness (it appears to be static schedule entries). 3) Because the skill runs a local script via the shell tool, run it in a sandbox or test environment first if you are cautious; the script currently performs only local parsing and printing and does not make network calls or access secrets. 4) If you expect automatic periodic updates, confirm how data will be refreshed — there is no network/update mechanism in the package.Like a lobster shell, security has layers — review code before you run it.
latestvk977f8cq414tpprgcfvhhpfens8390f2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.