KMB and LWB Bus Arrivals
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a simple public bus-arrival lookup with no credentials, persistence, or local data access shown, though its command metadata and code documentation are inconsistent.
Before installing, be aware that this runs a local Python script and contacts the official KMB public API. Verify that the final package's command names match the documentation and that OpenClaw safely escapes command arguments. No evidence of credential use, persistence, exfiltration, or destructive behavior was found in the provided artifacts.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If command templating is not safely escaped, unusual stop names or shell metacharacters could break execution or be misinterpreted; no artifact shows privileged or unrelated command use.
A user-provided stop name is inserted into a local command template. This is central to the skill's purpose, but safety depends on the OpenClaw runner escaping arguments rather than invoking an unescaped shell.
command: python3 kmb_bus.py getBusStopID {name}Use safe argv-style execution or robust escaping for placeholders, and add tighter schema validation for route and stop ID inputs where possible.
The skill may fail or behave differently than described, causing the agent to call commands that the script may not actually support.
This contradicts SKILL.md and README, which advertise getRouteDirection, getRouteInfo, getBusStopID, and getNextArrivals as available tools.
- No old commands (getRouteDirection, getRouteInfo, getBusStopID, getNextArrivals removed) - Only command: getArrival <route> <stop_name>
Align SKILL.md, README.md, and the Python CLI implementation before relying on the skill.
Installation or invocation may fail on systems without Python 3 or network access, even though the registry requirements do not warn the user.
The registry metadata under-declares the runtime environment because SKILL.md tool commands require python3 and README.md lists Python 3 and network access as requirements.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Declare Python 3 and network access in the skill metadata/capability requirements.