Safety Report

Trimet

Name: Trimet
Author: mjrussell

Get Portland transit information including arrivals, trip planning, and alerts. Use when user asks about buses, MAX, trains, or transit in Portland.

1,428Downloads

0Installs

0Stars

1Versions

Networking & DNS1,102 Notifications & Alerts1,061

Security Analysis

medium confidence

Suspicious0.08 risk

The skill's instructions match a TriMet CLI that legitimately requires an API key, but the package/registry metadata does not declare the binary or environment variable the SKILL.md requires — an inconsistency you should verify before installing or granting secrets.

Feb 11, 20261 files3 concerns

Purpose & Capabilitynote

The SKILL.md describes a TriMet CLI wrapper (arrivals, trip planning, alerts). Requiring a 'trimet' CLI binary and a TRIMET_APP_ID API key is coherent with that purpose. However, the registry metadata included with the skill lists no required binaries or environment variables, which conflicts with the SKILL.md requirements.

Instruction Scopeok

Instructions are narrowly scoped to using the trimet CLI and an API key. They do not ask the agent to read unrelated files, other environment variables, or exfiltrate data to unexpected endpoints.

Install Mechanismnote

The skill is instruction-only (no install spec). SKILL.md tells users to 'npm install -g trimet-cli' — a reasonable, common install path but not enforced by the skill metadata. Because the skill relies on an external npm package, you should verify that 'trimet-cli' on npm is the expected, maintained package.

Credentialsconcern

The SKILL.md requires a single TRIMET_APP_ID env var (the TriMet API key), which is proportionate. The concern is that the skill's registry metadata did not declare this required env var; that mismatch could confuse automated permission checks or hide that a secret is needed.

Persistence & Privilegeok

The skill does not request persistent privileges, always:true is not set, and it is user-invocable only. There is no indication it modifies other skills or system-wide settings.

Guidance

This skill appears to simply wrap the TriMet CLI and needs a TriMet developer API key (TRIMET_APP_ID). Before installing or supplying an API key: 1) confirm the 'trimet-cli' npm package is legitimate (check npmjs.org, maintainer, download counts, and source code). 2) Note the registry metadata omitted the required binary/env — ask the publisher or maintainers to correct that. 3) Only provide your TriMet API key (not other credentials); if you are uncomfortable, run the CLI locally yourself rather than giving the key to an agent. 4) If you plan to allow autonomous agent actions, be aware the agent will try to run the 'trimet' binary and may attempt global installs if not present — prefer manual install and review the installed package code first.

Latest Release

v0.1.0

Initial release

More by @mjrussell

Todoist

39 stars

Resend

2 stars

Paprika

2 stars

Anylist

1 stars

Fitbit

1 stars

Hevy

0 stars

Published by @mjrussell on ClawHub