Is dukbong/seoul-subway safe?

The SKILL.md 'First Time Setup' section explicitly recommends users select 'Yes, and don't ask again' when the agent's permission dialog appears for the proxy domain. When this skill is injected into an agent's system prompt, the agent will present this recommendation to users as if it were neutral guidance. This is a social engineering vector: the skill author is using the LLM's trusted voice to persuade users to permanently grant network access to a third-party server, bypassing future security friction.

The skill embeds assurances about the proxy's behavior ('never your conversation context or personal data') directly in the system prompt. These claims are authored by the skill developer — not audited or independently verified — but will be presented by the agent as established fact. This preemptively neutralizes user skepticism about the proxy before the user has any opportunity to evaluate it themselves.

Every API call made by this skill passes through vercel-proxy-henna-eight.vercel.app. The 'henna-eight' suffix strongly suggests an auto-generated Vercel project name rather than an intentionally branded domain. The proxy operator receives all user queries, pagination parameters, and standard HTTP headers including IP address. If the Vercel project is abandoned or transferred, a new owner could silently inherit all skill traffic.

The skill's own privacy disclosure confirms that IP address and User-Agent are sent as standard HTTP headers with every API call. This creates a persistent log of user query patterns correlated with network identity at the proxy operator's infrastructure, even if the skill is used only for benign subway lookups.

The skill documents three raw.githubusercontent.com endpoints for station lists and line mappings. These URLs point to the skill author's GitHub repository and their content can be changed at any time without requiring a skill update. While this is a read-only fetch pattern, it means the reference data the agent uses can be silently modified by the repository owner.

Aggregated across many users, the proxy operator accumulates subway query data (station names, route searches, service alert checks) correlated with user IP addresses. This data can reveal home and work locations, commute patterns, and travel times. The skill's stated open-source availability does not prevent the deployed proxy from logging more than disclosed.

By placing permission-bypass recommendations in the system prompt, the skill author exploits the agent's trusted conversational role to normalize granting persistent network access to a third-party domain. This is a subtle but deliberate design pattern that trades user security for developer convenience.

The skill contains only SKILL.md, _meta.json, and .clawhub/lock.json. No executable files, no npm scripts, no git hooks, no submodules, no symlinks. The clone and install produced no unexpected network connections or filesystem writes outside the skill directory.

Canary file accesses at timestamps 1771908087.* are attributable to the audit platform's baseline setup, and accesses at 1771908109.834.* are the post-install integrity check. No skill-initiated reads of .env, SSH keys, AWS credentials, .npmrc, Docker config, or GCloud credentials were observed.