ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Houston Transtar Watch

v1.0.0

Poll Houston TranStar incidents RSS every 10 minutes and WhatsApp me when there are changes.

0· 334·1 current·1 all-time
by@vijay-murugan
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to poll the Houston TranStar RSS and send WhatsApp notifications. The included Python scripts (transtar.py and scripts/transtar.py) do fetch the RSS and write state to ~/.openclaw/... which is consistent with the monitoring purpose. However, there is no code that implements WhatsApp delivery or any declared credentials for a WhatsApp gateway (e.g., Twilio, Meta) and SKILL.md mentions pushing via a WhatsApp Gateway but provides no configuration. The entrypoint in main.py points to a placeholder path (scripts/your_script.py) and SKILL.md instructs running transtar_diff.py — neither of those files exist, so the pieces required to perform the stated end-to-end task are missing or mismatched.
!
Instruction Scope
SKILL.md instructs running a diff-check script every 10 minutes and sending a 'Delta Report' via WhatsApp. The scripts present produce the expected 'NO_CHANGES' or a summary and save state locally, which is within scope. But the SKILL.md references filenames (transtar_diff.py) that are not in the bundle, and it says to push via a WhatsApp gateway without specifying how or what credentials to use. The instructions are therefore vague and incomplete, granting broad discretion (e.g., how to configure delivery) and lacking concrete, safe steps for notification delivery.
Install Mechanism
There is no install spec (instruction-only style), so nothing external will be downloaded or written by an installer. The scripts import the third-party 'requests' library but do not declare dependencies; this may cause runtime failures if the environment lacks requests. The scripts write a state file under the user's home directory (~/.openclaw/.../state/last_incidents.json), which is expected for this functionality but is persistent disk I/O the user should be aware of.
!
Credentials
The skill declares no required environment variables or primary credential, yet the SKILL.md promises WhatsApp delivery (which normally requires API keys, tokens, or webhook configuration). No credentials are requested or documented, and there is no code to read or send WhatsApp messages. This mismatch means the skill as packaged cannot complete its claimed delivery step and may require the user to supply sensitive credentials later or modify code to add them — an opportunity for misconfiguration or accidental credential exposure.
Persistence & Privilege
The skill does not request always:true and is user-invocable; it stores its own state under ~/.openclaw/... which is reasonable for a polling notifier. It does not modify other skills or system-wide settings. Autonomous invocation is allowed (disable-model-invocation is false) which is the platform default and appropriate for scheduled polling.
What to consider before installing
This skill contains working RSS-fetching and diff logic, but it is incomplete and misconfigured for notifications. Before installing or enabling it: 1) Do not provide any WhatsApp/API credentials until you see explicit, secure code that uses them — the package currently has no delivery implementation. 2) Fix the mismatches: SKILL.md calls transtar_diff.py but the repo contains transtar.py; main.py points at scripts/your_script.py — confirm which script is the real entrypoint and update the loader. 3) Ensure the runtime has the 'requests' library or add a dependency/install step. 4) Review where state is written (~/.openclaw/skills/houston-transtar-watch/state/last_incidents.json) and decide if that location and persistence are acceptable. 5) If you want WhatsApp delivery, prefer using a well-known gateway (e.g., Twilio) and ensure credentials are provided via secure environment variables (and documented in the skill) rather than hardcoded. If the maintainer provides an updated package with clear delivery code and documented, minimal env vars, the assessment could be upgraded to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk970wx7vc8h85h0bmmjprycg4x8264s3
334downloads
0stars
1versions
Updated 8h ago
v1.0.0
MIT-0
@vijay-murugan
latest
Download

Houston TranStar Watcher

Overview

This skill is a specialized traffic monitor for the Greater Houston area. It interfaces with the Houston TranStar Real-Time Incident RSS feed to detect new accidents, stalled vehicles, and road closures.

Technical Runbook

The following logic is executed every 10 minutes via the internal cron scheduler:

  1. Script Execution: The skill navigates to the local directory and executes the diff-check logic: 
    python3 transtar_diff.py
  2. Output Parsing: - If the script returns the string NO_CHANGES, the process terminates immediately to save bandwidth and prevent notification fatigue.

If any other text is returned, it is treated as a "Delta Report" of new incidents. 3. Delivery Logic When a "Delta Report" is generated, the content is formatted for mobile viewing and pushed via the WhatsApp Gateway to the configured recipient.

  1. Use Cases Automated commute monitoring for Houston residents.

Alerting logistics teams to major freeway closures on I-10, I-45, and US-59.3.

Comments

Loading comments...