Traffic-Data
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to be a straightforward traffic-query tool, with expected API-key use and some non-security documentation/package mismatches to review.
This looks safe for its stated purpose, but use limited traffic-provider API keys and be aware that current documentation does not fully match the included code. Check which command actually runs before installing or invoking it.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your traffic queries may use your map-provider account quota or billing, and the provider will see the query parameters.
The skill sends a provider API key and the requested city/road to the AMap/Gaode API. This is purpose-aligned, but users should understand their key and query data go to the map provider.
const params = { key: GAODE_MAP_KEY, city: city, name: road }; const response = await axios.get(url, { params });Use restricted API keys with appropriate quotas and only install the skill if you are comfortable sending traffic queries to the stated provider.
Some documented commands may fail or require using index.js instead of the named helper scripts.
The package and SKILL.md reference helper files that are not present in the provided manifest, which appears to be an operability/provenance mismatch rather than hidden execution.
"scripts": { "road": "node road.js", "incident": "node incident.js", "scats": "node scats.js" }Verify the intended entry point before use, and do not run any additional files that are not part of the reviewed package.