ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Commute Traffic

v0.1.0

Check real-time traffic conditions for a route between two locations using TomTom. Use when the user asks about traffic, commute time, best time to leave, dr...

0· 384·1 current·1 all-time
by@xavjer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (python3), required env (TOMTOM_API_KEY), SKILL.md, INSTALL.md, and the included script all consistently implement TomTom geocoding and routing. The script uses only the TomTom API and standard library; the TOMTOM_API_KEY is the expected credential. Note: the code biases geocoding to Switzerland (countrySet=CH), which is coherent with examples but may surprise users outside CH.
Instruction Scope
SKILL.md limits runtime actions to extracting origin/destination from conversational context and running the included script; the script only performs API calls to TomTom and outputs structured JSON. One behavioral note: SKILL.md suggests using a user's 'known' home/office/regular commute if available — this can surface personal location data and should only be done with user consent. Otherwise the instructions stay within the declared purpose.
Install Mechanism
No install spec (instruction-only) and the provided INSTALL.md only instructs copying files and setting an env var/secret in Kubernetes. There are no downloads or third‑party package installs; the script relies on Python stdlib.
Credentials
Only TOMTOM_API_KEY is required and is the primary credential declared. The install instructions use a Kubernetes secret to expose this key — expected for an API-based skill. No other secrets, tokens, or config paths are requested.
Persistence & Privilege
always is false and the skill does not request persistent/global privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with extra privileges or broad credential access.
Assessment
This skill appears to do exactly what it claims: it sends user-supplied origin/destination strings to TomTom and returns route and traffic data. Before installing: (1) decide where the TomTom API key will be stored and who can read that Kubernetes secret (limit access); (2) be aware that addresses and coordinates provided by users are transmitted to TomTom — avoid using the skill to look up sensitive or private locations without explicit consent; (3) note the geocoding bias to Switzerland (countrySet=CH) — if you expect global use, update the script or queries; (4) the free tier has rate limits (~830 checks/day), so monitor quota usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e7zy1de6p6da3r818pjg2tn822fw4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚗 Clawdis
Binspython3
EnvTOMTOM_API_KEY
Primary envTOMTOM_API_KEY

Comments