Back to skill
Skillv0.1.0
ClawScan security
Commute Traffic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 1, 2026, 12:50 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested TOMTOM_API_KEY align with its stated purpose (checking live traffic via TomTom); nothing requests unrelated credentials or installs arbitrary code.
- Guidance
- This skill appears to do exactly what it claims: it sends user-supplied origin/destination strings to TomTom and returns route and traffic data. Before installing: (1) decide where the TomTom API key will be stored and who can read that Kubernetes secret (limit access); (2) be aware that addresses and coordinates provided by users are transmitted to TomTom — avoid using the skill to look up sensitive or private locations without explicit consent; (3) note the geocoding bias to Switzerland (countrySet=CH) — if you expect global use, update the script or queries; (4) the free tier has rate limits (~830 checks/day), so monitor quota usage.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (python3), required env (TOMTOM_API_KEY), SKILL.md, INSTALL.md, and the included script all consistently implement TomTom geocoding and routing. The script uses only the TomTom API and standard library; the TOMTOM_API_KEY is the expected credential. Note: the code biases geocoding to Switzerland (countrySet=CH), which is coherent with examples but may surprise users outside CH.
- Instruction Scope
- noteSKILL.md limits runtime actions to extracting origin/destination from conversational context and running the included script; the script only performs API calls to TomTom and outputs structured JSON. One behavioral note: SKILL.md suggests using a user's 'known' home/office/regular commute if available — this can surface personal location data and should only be done with user consent. Otherwise the instructions stay within the declared purpose.
- Install Mechanism
- okNo install spec (instruction-only) and the provided INSTALL.md only instructs copying files and setting an env var/secret in Kubernetes. There are no downloads or third‑party package installs; the script relies on Python stdlib.
- Credentials
- okOnly TOMTOM_API_KEY is required and is the primary credential declared. The install instructions use a Kubernetes secret to expose this key — expected for an API-based skill. No other secrets, tokens, or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/global privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with extra privileges or broad credential access.