← Back to Skills Marketplace

SkedGo TripGo API

Name: SkedGo TripGo API
Author: guanyu-zhang

by Guanyu Zhang · GitHub ↗ · v1.0.3

cross-platform ✓ Security Clean

350

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install skedgo-tripgo-api

Description

Comprehensive interface for the SkedGo TripGo API, covering routing, public transport, trips, and location services. Use for multimodal journey planning, pub...

Usage Guidance

This skill appears to do exactly what it claims: provide shell scripts to call TripGo endpoints. Before installing or running it: (1) only provide a TripGo API key (TRIPGO_API_KEY) — do not reuse high-privilege or unrelated credentials; (2) review any webhook URLs you register and set TRIPGO_WEBHOOK_ALLOWLIST to trusted domains (the scripts enforce https and an allowlist by default); (3) be aware many scripts print request bodies or URLs to stdout — avoid running them where logs are public if the inputs include sensitive info; (4) ensure curl and jq are available; (5) inspect and test scripts in a safe environment (no secrets) if you want to verify behavior. Overall the package is internally consistent and proportionate to its stated purpose.

Capability Analysis

Type: OpenClaw Skill Name: skedgo-tripgo-api Version: 1.0.3 The OpenClaw AgentSkills skill bundle for the SkedGo TripGo API is classified as benign. The skill demonstrates robust security practices, including the use of `jq` for safe URL encoding of query parameters and secure construction of JSON request bodies, which effectively mitigates shell and JSON injection vulnerabilities across all `scripts/*.sh` files. Furthermore, the `SKILL.md` and `scripts/trips-hooks-a-trip-to-real-time-updates.sh` file implement strong webhook security by enforcing HTTPS and requiring a domain allowlist (`TRIPGO_WEBHOOK_ALLOWLIST`), with an explicit, warned-against bypass for debugging purposes. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the agent. All API calls are directed to the legitimate TripGo API endpoint.

Capability Assessment

✓ Purpose & Capability

Name/description align with required artifacts: scripts implement TripGo endpoints and only require curl/jq and a TripGo API key (TRIPGO_API_KEY). Optional env vars (TRIPGO_BASE_URL, webhook allowlist, etc.) are directly relevant to API usage.

ℹ Instruction Scope

SKILL.md and the scripts remain within the declared scope (calling TripGo endpoints, validating JSON, URL-encoding inputs). A security-conscious webhook registration script enforces https and an allowlist by default. Note: many scripts print request bodies/URLs to stdout (for debugging) and accept arbitrary JSON for headers or webhook URLs — those outputs or supplied header JSON could contain sensitive data if you run the scripts with real secrets or untrusted webhook targets.

✓ Install Mechanism

No install spec is provided (instruction-only install), so nothing is downloaded or extracted. The runtime relies on standard binaries (curl, jq, optional python3) which is low-risk.

✓ Credentials

Only the TripGo API key is required (TRIPGO_API_KEY). Optional variables (TRIPGO_BASE_URL, TRIPGO_WEBHOOK_ALLOWLIST, TRIPGO_ALLOW_UNSAFE_WEBHOOK) are justified by the skill's webhook and base-URL configuration. Minor aliasing (TRIPGO_KEY in some scripts) is present but not a security concern.

✓ Persistence & Privilege

The skill does not request persistent platform privileges (always is false). It does not attempt to modify other skills or system-wide settings; it runs as a set of scripts executed by the agent/user.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install skedgo-tripgo-api
After installation, invoke the skill by name or use /skedgo-tripgo-api
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.3

# skedgo-tripgo-api v1.0.3 (metadata + webhook guardrails) ## ✅ Registry metadata coherence fix Updated `SKILL.md` frontmatter to include machine-readable OpenClaw requirements so ClawHub can correctly display runtime requirements: - Required env var: `TRIPGO_API_KEY` - Required binaries: `curl`, `jq` - Primary credential env: `TRIPGO_API_KEY` Added frontmatter: ```yaml metadata: {"openclaw":{"requires":{"bins":["curl","jq"],"env":["TRIPGO_API_KEY"]},"primaryEnv":"TRIPGO_API_KEY"}} ``` ## 🔒 Webhook exfiltration-risk mitigation Hardened `scripts/trips-hooks-a-trip-to-real-time-updates.sh` with default-safe webhook policy: 1. Enforce `https://` webhook URLs only. 2. Parse and validate webhook host. 3. Require domain allowlist by default via: - `TRIPGO_WEBHOOK_ALLOWLIST=example.com,webhooks.example.org` 4. Allow bypass only with explicit opt-in: - `TRIPGO_ALLOW_UNSAFE_WEBHOOK=true` 5. Keep JSON input validation for headers and safe JSON body construction via `jq`. This preserves legitimate TripGo webhook functionality while reducing abuse potential from arbitrary callback destinations. ## Docs updates Updated `SKILL.md` to document: - `TRIPGO_WEBHOOK_ALLOWLIST` (recommended) - `TRIPGO_ALLOW_UNSAFE_WEBHOOK` (debug/trusted use only) - security behavior for webhook registration ## Verification - `bash -n` passed for updated webhook script. - Manual behavior checks confirm: - missing allowlist => blocked - non-allowlisted host => blocked - only allowlisted hosts (or explicit unsafe override) can proceed --- Suggested release note summary: > Fixes ClawHub metadata mismatch and adds secure-by-default webhook controls (HTTPS + allowlist, with explicit unsafe override) to reduce potential exfiltration risk while keeping TripGo hook support intact.

v1.0.2

# skedgo-tripgo-api v1.0.2 (Path encoding hardening) ## 🔒 Security hardening (follow-up) Applied URL path-segment encoding for ID-based endpoints to close remaining injection surfaces. Updated scripts: - `scripts/trips-retrieve-previously-computed-trip.sh` - `scripts/trips-save-trip-for-later-use.sh` - `scripts/trips-update-trip-with-real-time-data.sh` - `scripts/trips-gets-hooked-urls.sh` - `scripts/trips-removes-a-hooks-from-a-trip.sh` - `scripts/trips-mark-trip-as-planned-by-a-user.sh` - `scripts/ttp-delete-travelling-tourist-problem-deprecated.sh` ## Other consistency improvements - Added `set -euo pipefail` to the updated scripts. - Added optional `TRIPGO_BASE_URL` support where missing (default remains `https://api.tripgo.com/v1`). - Encoded optional `hash` query parameter in `trips-update-trip-with-real-time-data.sh`. ## ✅ Verification - `bash -n` syntax check passed for all 7 updated scripts. - Static check confirms no remaining direct unencoded path-ID interpolation in script `curl` URLs. --- Suggested release note summary: > Follow-up security hardening release. Added URL encoding for all remaining ID path segments (`trip/*`, `trip/hook/*`, `trip/planned/*`, `ttp/*`) and improved script robustness with strict shell settings.

v1.0.0

Initial public release

Metadata

Slug skedgo-tripgo-api

Version 1.0.3

License —

All-time Installs 0

Active Installs 0

Total Versions 3

Frequently Asked Questions

What is SkedGo TripGo API?

Comprehensive interface for the SkedGo TripGo API, covering routing, public transport, trips, and location services. Use for multimodal journey planning, pub... It is an AI Agent Skill for Claude Code / OpenClaw, with 350 downloads so far.

How do I install SkedGo TripGo API?

Run "/install skedgo-tripgo-api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is SkedGo TripGo API free?

Yes, SkedGo TripGo API is completely free (open-source). You can download, install and use it at no cost.

Which platforms does SkedGo TripGo API support?

SkedGo TripGo API is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created SkedGo TripGo API?

It is built and maintained by Guanyu Zhang (@guanyu-zhang); the current version is v1.0.3.

More Skills