Back to skill
Skillv1.0.0
ClawScan security
Traffic-Data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 22, 2026, 3:55 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly does what it claims (queries map/SCATS data) but has mismatches between its metadata, runtime instructions, and file layout—environment requirements are over-declared and the README references files that don't exist—so exercise caution before installing.
- Guidance
- This skill appears to be a simple traffic/query tool, but there are inconsistencies you should resolve before installing: (1) the README and package.json expect separate scripts (road.js, incident.js, scats.js) while the repo only includes index.js — confirm which files will run and test locally; (2) the registry marks three env vars as required but the program needs only one map key and SCATS only for SCATS queries (which is not implemented) — avoid supplying more credentials than necessary; (3) if you install, run npm install from a trusted environment and review package-lock.json dependencies; (4) consider using API keys with minimal privileges and not reusing high-privilege keys; (5) if you need strong assurance, ask the publisher for corrected SKILL.md or source that matches package.json and verify the SCATS implementation before providing a SCATS API key.
Review Dimensions
- Purpose & Capability
- noteName/description align with traffic/map and SCATS data. Requiring node and map/SCATS API keys is reasonable for this purpose. However, the registry lists BAIDU_MAP_KEY, GAODE_MAP_KEY, and SCATS_API_KEY as all required even though the code only needs one map key for map queries and SCATS only for SCATS queries.
- Instruction Scope
- concernSKILL.md instructs running files at paths like skills/traffic-data/road.js and references separate road.js/incident.js/scats.js scripts. The package.json scripts point to road.js/incident.js/scats.js as well. The provided codebase contains only index.js (the main program) which expects subcommands rather than separate files. This mismatch between documentation and actual files will cause confusion or runtime errors. The SKILL.md also describes BAIDU/GAODE as optional but registry metadata marks them required—another inconsistency. No instructions attempt to read unrelated system files or exfiltrate secrets.
- Install Mechanism
- okNo install script is provided (instruction-only install). Dependencies are standard npm packages (axios, etc.) with package-lock referencing npm registry artifacts. No external download URLs or extract steps are used. The only potential friction: no explicit install step is declared, so maintainers/operators must run npm install to satisfy dependencies.
- Credentials
- concernThe skill declares BAIDU_MAP_KEY, GAODE_MAP_KEY, and SCATS_API_KEY as required. The code only needs one map API key (GAODE or BAIDU) for road/incident queries and SCATS_API_KEY only for the SCATS endpoint (which is not implemented yet). Requiring all three up-front is disproportionate and could lead to unnecessary exposure of multiple API keys.
- Persistence & Privilege
- okSkill has no elevated persistence flags (always:false) and does not modify other skills or system-wide config. It runs as a normal node script and does not request additional privileges.