Back to skill
Skillv1.1.7
ClawScan security
KMB and LWB Bus Arrivals · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 2, 2026, 12:40 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a simple KMB arrivals client that calls the official data.etabus.gov.hk API and does not request credentials or persistent privileges.
- Guidance
- This package appears coherent and limited to fetching KMB data from the official data.etabus.gov.hk API. Before installing, confirm you trust the included code (kmb_bus.py) and the publisher since the registry metadata lacks a homepage; review the rest of the script (the file was truncated in the provided bundle summary) to be certain there are no unexpected network calls or file operations. Also ensure your environment allows outbound HTTPS to data.etabus.gov.hk and be aware this version intentionally removes caching (it will make fresh API calls each invocation).
Review Dimensions
- Purpose & Capability
- okName/description (KMB bus arrivals) match what the code and SKILL.md do: they call the official Hong Kong Data Hub endpoints to list routes, stops, and ETAs. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okRuntime instructions simply invoke the bundled Python script with explicit arguments. The script only performs network calls to data.etabus.gov.hk and does not read credentials, arbitrary files, or send data to other endpoints. Error handling and timeouts are present.
- Install Mechanism
- okNo install spec — instruction-only skill with a pure-Python script (standard library). Nothing is downloaded or extracted at install time.
- Credentials
- okNo environment variables or secrets are required. The network access requested (the official KMB data API host) is proportional to the stated purpose.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide configuration changes or persistent credentials. It does not modify other skills or agent settings.