OpenClaw: benign
VirusTotal: benign
StaticScan: unknown
OpenClaw: benign
The skill's files, scripts, and required credentials coherently match its TripGo routing/geocoding purpose; nothing requested or installed appears disproportionate or out-of-scope.
VirusTotal: benign VT 报告
静态扫描: unknown
README 未提供
无文件信息
{
"latestVersion": {
"_creationTime": 1772241958350,
"_id": "k976chxy687jexxnrcxa8pem75820qpv",
"changelog": "# skedgo-tripgo-api v1.0.3 (metadata + webhook guardrails)\n\n## ✅ Registry metadata coherence fix\nUpdated `SKILL.md` frontmatter to include machine-readable OpenClaw requirements so ClawHub can correctly display runtime requirements:\n\n- Required env var: `TRIPGO_API_KEY`\n- Required binaries: `curl`, `jq`\n- Primary credential env: `TRIPGO_API_KEY`\n\nAdded frontmatter:\n```yaml\nmetadata: {\"openclaw\":{\"requires\":{\"bins\":[\"curl\",\"jq\"],\"env\":[\"TRIPGO_API_KEY\"]},\"primaryEnv\":\"TRIPGO_API_KEY\"}}\n```\n\n## 🔒 Webhook exfiltration-risk mitigation\nHardened `scripts\/trips-hooks-a-trip-to-real-time-updates.sh` with default-safe webhook policy:\n\n1. Enforce `https:\/\/` webhook URLs only.\n2. Parse and validate webhook host.\n3. Require domain allowlist by default via:\n - `TRIPGO_WEBHOOK_ALLOWLIST=example.com,webhooks.example.org`\n4. Allow bypass only with explicit opt-in:\n - `TRIPGO_ALLOW_UNSAFE_WEBHOOK=true`\n5. Keep JSON input validation for headers and safe JSON body construction via `jq`.\n\nThis preserves legitimate TripGo webhook functionality while reducing abuse potential from arbitrary callback destinations.\n\n## Docs updates\nUpdated `SKILL.md` to document:\n- `TRIPGO_WEBHOOK_ALLOWLIST` (recommended)\n- `TRIPGO_ALLOW_UNSAFE_WEBHOOK` (debug\/trusted use only)\n- security behavior for webhook registration\n\n## Verification\n- `bash -n` passed for updated webhook script.\n- Manual behavior checks confirm:\n - missing allowlist => blocked\n - non-allowlisted host => blocked\n - only allowlisted hosts (or explicit unsafe override) can proceed\n\n---\n\nSuggested release note summary:\n> Fixes ClawHub metadata mismatch and adds secure-by-default webhook controls (HTTPS + allowlist, with explicit unsafe override) to reduce potential exfiltration risk while keeping TripGo hook support intact.",
"changelogSource": "user",
"createdAt": 1772241958350,
"parsed": {
"clawdis": {
"primaryEnv": "TRIPGO_API_KEY",
"requires": {
"bins": [
"curl",
"jq"
],
"env": [
"TRIPGO_API_KEY"
]
}
}
},
"version": "1.0.3"
},
"owner": {
"_creationTime": 0,
"_id": "publishers:missing",
"displayName": "Guanyu Zhang",
"handle": "guanyu-zhang",
"image": "https:\/\/avatars.githubusercontent.com\/u\/63548771?v=4",
"kind": "user",
"linkedUserId": "kn79gqkhyg6t0kyv69rseymwkh820yd8"
},
"ownerHandle": "guanyu-zhang",
"skill": {
"_creationTime": 1772238410753,
"_id": "kd77w0qzthjcqbg72bbppbvee5821wq5",
"badges": [],
"createdAt": 1772238410753,
"displayName": "SkedGo TripGo API",
"latestVersionId": "k976chxy687jexxnrcxa8pem75820qpv",
"ownerUserId": "kn79gqkhyg6t0kyv69rseymwkh820yd8",
"slug": "skedgo-tripgo-api",
"stats": {
"comments": 0,
"downloads": 246,
"installsAllTime": 0,
"installsCurrent": 0,
"stars": 0,
"versions": 3
},
"summary": "Comprehensive interface for the SkedGo TripGo API, covering routing, public transport, trips, and location services. Use for multimodal journey planning, pub...",
"tags": {
"latest": "k976chxy687jexxnrcxa8pem75820qpv"
},
"updatedAt": 1772245609505
}
}