IDFM Journey (PRIM/Navitia)
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward IDFM transit-query helper, with expected API-key use and one optional base-URL override that users should treat carefully.
Before installing, be aware that route searches and the IDFM PRIM API key are used to call the IDFM/Navitia service. Keep the default official endpoint, do not use untrusted base URLs, and consider using a dedicated API key.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your IDFM PRIM API quota/credentials when making transit queries.
The script reads an IDFM API key from the environment and sends it as the PRIM/Navitia authentication header.
self.api_key = api_key or os.environ.get("IDFM_PRIM_API_KEY") ... req.add_header("apikey", api_key)Use a dedicated or restricted IDFM PRIM API key if available, and the registry should declare this environment variable/credential requirement.
If misused, the API key and route queries could be sent to a non-IDFM endpoint.
The CLI allows the PRIM base URL to be overridden; because the API key is attached to requests, this option should not be pointed at untrusted hosts.
p.add_argument("--base-url", default=BASE_URL, help="override PRIM base URL (default: %(default)s)")Keep the default official PRIM/Navitia endpoint unless you intentionally trust the alternate endpoint.
You have less external provenance information about who maintains this skill, even though the bundled code is small and visible here.
The registry metadata does not provide an upstream source or homepage for provenance review.
Source: unknown; Homepage: none
Prefer skills with a verifiable source repository or review the bundled files before installing.