Is brianleach/tfl safe?

https://github.com/openclaw/skills/tree/main/skills/brianleach/tfl

92.5
SAFE

This skill appears to be a legitimate London TfL transport API integration with comprehensive documentation and standard installation behavior. No malicious code execution, data exfiltration, or prompt injection attempts were detected during analysis.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

INFO Executable Node.js script included -10

The skill includes scripts/tfl.mjs which contains executable JavaScript code. This is expected for a Node.js-based API integration skill but represents inherent execution risk.

INFO External API connections documented -5

The skill documents connections to api.tfl.gov.uk for London transport data. This is legitimate and expected but involves external network requests.

INFO Source code not fully reviewable -5

The complete source code content of the executable script could not be reviewed in detail, limiting security analysis depth.