← 返回 Skills 市场

SkedGo TripGo API

Name: SkedGo TripGo API
Author: guanyu-zhang

作者 Guanyu Zhang · GitHub ↗ · v1.0.3

cross-platform ✓ 安全检测通过

350

总下载

当前安装

版本数

在 OpenClaw 中安装

/install skedgo-tripgo-api

功能描述

Comprehensive interface for the SkedGo TripGo API, covering routing, public transport, trips, and location services. Use for multimodal journey planning, pub...

安全使用建议

This skill appears to do exactly what it claims: provide shell scripts to call TripGo endpoints. Before installing or running it: (1) only provide a TripGo API key (TRIPGO_API_KEY) — do not reuse high-privilege or unrelated credentials; (2) review any webhook URLs you register and set TRIPGO_WEBHOOK_ALLOWLIST to trusted domains (the scripts enforce https and an allowlist by default); (3) be aware many scripts print request bodies or URLs to stdout — avoid running them where logs are public if the inputs include sensitive info; (4) ensure curl and jq are available; (5) inspect and test scripts in a safe environment (no secrets) if you want to verify behavior. Overall the package is internally consistent and proportionate to its stated purpose.

功能分析

Type: OpenClaw Skill Name: skedgo-tripgo-api Version: 1.0.3 The OpenClaw AgentSkills skill bundle for the SkedGo TripGo API is classified as benign. The skill demonstrates robust security practices, including the use of `jq` for safe URL encoding of query parameters and secure construction of JSON request bodies, which effectively mitigates shell and JSON injection vulnerabilities across all `scripts/*.sh` files. Furthermore, the `SKILL.md` and `scripts/trips-hooks-a-trip-to-real-time-updates.sh` file implement strong webhook security by enforcing HTTPS and requiring a domain allowlist (`TRIPGO_WEBHOOK_ALLOWLIST`), with an explicit, warned-against bypass for debugging purposes. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the agent. All API calls are directed to the legitimate TripGo API endpoint.

能力评估

✓ Purpose & Capability

Name/description align with required artifacts: scripts implement TripGo endpoints and only require curl/jq and a TripGo API key (TRIPGO_API_KEY). Optional env vars (TRIPGO_BASE_URL, webhook allowlist, etc.) are directly relevant to API usage.

ℹ Instruction Scope

SKILL.md and the scripts remain within the declared scope (calling TripGo endpoints, validating JSON, URL-encoding inputs). A security-conscious webhook registration script enforces https and an allowlist by default. Note: many scripts print request bodies/URLs to stdout (for debugging) and accept arbitrary JSON for headers or webhook URLs — those outputs or supplied header JSON could contain sensitive data if you run the scripts with real secrets or untrusted webhook targets.

✓ Install Mechanism

No install spec is provided (instruction-only install), so nothing is downloaded or extracted. The runtime relies on standard binaries (curl, jq, optional python3) which is low-risk.

✓ Credentials

Only the TripGo API key is required (TRIPGO_API_KEY). Optional variables (TRIPGO_BASE_URL, TRIPGO_WEBHOOK_ALLOWLIST, TRIPGO_ALLOW_UNSAFE_WEBHOOK) are justified by the skill's webhook and base-URL configuration. Minor aliasing (TRIPGO_KEY in some scripts) is present but not a security concern.

✓ Persistence & Privilege

The skill does not request persistent platform privileges (always is false). It does not attempt to modify other skills or system-wide settings; it runs as a set of scripts executed by the agent/user.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install skedgo-tripgo-api
安装完成后，直接呼叫该 Skill 的名称或使用 /skedgo-tripgo-api 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.3

# skedgo-tripgo-api v1.0.3 (metadata + webhook guardrails) ## ✅ Registry metadata coherence fix Updated `SKILL.md` frontmatter to include machine-readable OpenClaw requirements so ClawHub can correctly display runtime requirements: - Required env var: `TRIPGO_API_KEY` - Required binaries: `curl`, `jq` - Primary credential env: `TRIPGO_API_KEY` Added frontmatter: ```yaml metadata: {"openclaw":{"requires":{"bins":["curl","jq"],"env":["TRIPGO_API_KEY"]},"primaryEnv":"TRIPGO_API_KEY"}} ``` ## 🔒 Webhook exfiltration-risk mitigation Hardened `scripts/trips-hooks-a-trip-to-real-time-updates.sh` with default-safe webhook policy: 1. Enforce `https://` webhook URLs only. 2. Parse and validate webhook host. 3. Require domain allowlist by default via: - `TRIPGO_WEBHOOK_ALLOWLIST=example.com,webhooks.example.org` 4. Allow bypass only with explicit opt-in: - `TRIPGO_ALLOW_UNSAFE_WEBHOOK=true` 5. Keep JSON input validation for headers and safe JSON body construction via `jq`. This preserves legitimate TripGo webhook functionality while reducing abuse potential from arbitrary callback destinations. ## Docs updates Updated `SKILL.md` to document: - `TRIPGO_WEBHOOK_ALLOWLIST` (recommended) - `TRIPGO_ALLOW_UNSAFE_WEBHOOK` (debug/trusted use only) - security behavior for webhook registration ## Verification - `bash -n` passed for updated webhook script. - Manual behavior checks confirm: - missing allowlist => blocked - non-allowlisted host => blocked - only allowlisted hosts (or explicit unsafe override) can proceed --- Suggested release note summary: > Fixes ClawHub metadata mismatch and adds secure-by-default webhook controls (HTTPS + allowlist, with explicit unsafe override) to reduce potential exfiltration risk while keeping TripGo hook support intact.

v1.0.2

# skedgo-tripgo-api v1.0.2 (Path encoding hardening) ## 🔒 Security hardening (follow-up) Applied URL path-segment encoding for ID-based endpoints to close remaining injection surfaces. Updated scripts: - `scripts/trips-retrieve-previously-computed-trip.sh` - `scripts/trips-save-trip-for-later-use.sh` - `scripts/trips-update-trip-with-real-time-data.sh` - `scripts/trips-gets-hooked-urls.sh` - `scripts/trips-removes-a-hooks-from-a-trip.sh` - `scripts/trips-mark-trip-as-planned-by-a-user.sh` - `scripts/ttp-delete-travelling-tourist-problem-deprecated.sh` ## Other consistency improvements - Added `set -euo pipefail` to the updated scripts. - Added optional `TRIPGO_BASE_URL` support where missing (default remains `https://api.tripgo.com/v1`). - Encoded optional `hash` query parameter in `trips-update-trip-with-real-time-data.sh`. ## ✅ Verification - `bash -n` syntax check passed for all 7 updated scripts. - Static check confirms no remaining direct unencoded path-ID interpolation in script `curl` URLs. --- Suggested release note summary: > Follow-up security hardening release. Added URL encoding for all remaining ID path segments (`trip/*`, `trip/hook/*`, `trip/planned/*`, `ttp/*`) and improved script robustness with strict shell settings.

v1.0.0

Initial public release

元数据

Slug skedgo-tripgo-api

版本 1.0.3

许可证 —

累计安装 0

当前安装数 0

历史版本数 3

常见问题

SkedGo TripGo API 是什么？

Comprehensive interface for the SkedGo TripGo API, covering routing, public transport, trips, and location services. Use for multimodal journey planning, pub... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 350 次。

如何安装 SkedGo TripGo API？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install skedgo-tripgo-api」即可一键安装，无需额外配置。

SkedGo TripGo API 是免费的吗？

是的，SkedGo TripGo API 完全免费（开源免费），可自由下载、安装和使用。

SkedGo TripGo API 支持哪些平台？

SkedGo TripGo API 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 SkedGo TripGo API？

由 Guanyu Zhang（@guanyu-zhang）开发并维护，当前版本 v1.0.3。