← Back to Skills Marketplace
ham-kris

Yanji Bus Query

by Ham-Kris · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
276
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install yanjibus
Description
查询延吉公交线路的实时车辆位置,可指定线路号、子线路及模糊匹配起始和终点站名。
Usage Guidance
This skill appears to implement the advertised bus-query functionality, but you should be cautious before running it: (1) the metadata omits required binaries — ensure curl and python3 are available; (2) the script embeds the remote JSON (and user-supplied station names) directly into an inlined Python program without escaping, which could allow arbitrary Python code execution if the remote site or inputs are malicious or if an attacker can tamper with the HTTP responses; (3) only use this skill if you trust the bus.yanjibus.com host or run it in an isolated/sandboxed environment. If you plan to install or run it, consider patching the script to avoid embedding untrusted data into source (e.g., pass BUS_DATA via stdin or a temporary file and use json.load, and safely escape or validate user inputs), and update the skill metadata to list required binaries.
Capability Analysis
Type: OpenClaw Skill Name: yanjibus Version: 1.0.0 The skill contains significant command injection vulnerabilities in `yanji-bus.sh`. User-provided arguments, such as station names and line numbers, are directly interpolated into a Python script block and shell commands without sanitization, which could allow for Remote Code Execution (RCE) if a user provides crafted input. While the tool's stated purpose of querying bus data from `bus.yanjibus.com` appears legitimate and there is no evidence of intentional malice, the implementation is highly insecure.
Capability Assessment
Purpose & Capability
Name/description match the implementation: the script queries http://bus.yanjibus.com and prints route + realtime vehicle data. However the registry metadata declares no required binaries while the script clearly depends on curl and python3 — an omission that is incoherent and may mislead users about runtime requirements.
Instruction Scope
SKILL.md instructs the agent to run the included bash script which fetches HTML/JSON from bus.yanjibus.com and parses it. The script embeds two sources of untrusted input (BUS_DATA from the remote HTTP response and user-supplied --from/--to values) directly into the Python -c source as triple-quoted string literals without escaping. That creates a realistic remote/user-controlled code-injection / arbitrary-Python-execution risk if the fetched data or parameters contain quote sequences or crafted payloads.
Install Mechanism
No install spec — instruction-only with an included script. Nothing is downloaded or written during install, which is proportionate to the stated purpose.
Credentials
The skill requests no environment variables, credentials, or config paths, which aligns with its stated purpose of querying a public bus site.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system configs. Autonomous invocation is allowed by default but is not combined with other privilege escalation signals.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install yanjibus
  3. After installation, invoke the skill by name or use /yanjibus
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the 延吉公交实时查询 skill. - Supports real-time bus location lookup for Yanji bus routes. - Allows queries by route number, optional sub-route, and optional departure/destination with station name fuzzy matching. - Default sub-route is 1 if not specified (3路 has 3 sub-routes). - Includes quick reference for popular routes and integration suggestion with the Gaode Map skill.
Metadata
Slug yanjibus
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Yanji Bus Query?

查询延吉公交线路的实时车辆位置,可指定线路号、子线路及模糊匹配起始和终点站名。 It is an AI Agent Skill for Claude Code / OpenClaw, with 276 downloads so far.

How do I install Yanji Bus Query?

Run "/install yanjibus" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Yanji Bus Query free?

Yes, Yanji Bus Query is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Yanji Bus Query support?

Yanji Bus Query is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Yanji Bus Query?

It is built and maintained by Ham-Kris (@ham-kris); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments