Back to skill
Skillv0.1.0
ClawScan security
IDFM Journey (PRIM/Navitia) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:01 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements match its stated purpose (querying IDFM PRIM/Navitia) and do not request unrelated credentials or perform unexpected actions.
- Guidance
- This skill appears to do exactly what it says: call Île‑de‑France PRIM/Navitia endpoints using your IDFM_PRIM_API_KEY. If you plan to install it: (1) only provide your IDFM API key if you trust the skill; the key is required to use the API. (2) Review the small script (it's pure Python, standard library) yourself if you can — it is readable and uses the documented PRIM base URL. (3) Be cautious if you or the agent override --base-url to an untrusted host, since that could send your API key elsewhere. Rotate the key if you suspect it was exposed.
Review Dimensions
- Purpose & Capability
- okName/description match the included script and reference doc. The only credential referenced (IDFM_PRIM_API_KEY) is exactly what the PRIM/Navitia API requires, and the script calls the documented Navitia endpoints.
- Instruction Scope
- okSKILL.md only instructs setting IDFM_PRIM_API_KEY and running the bundled Python script to call /places, /journeys, and /disruptions. The script does not read unrelated files, other env vars, or send data to unexpected external endpoints (default base URL is the official PRIM domain).
- Install Mechanism
- okThere is no install spec (instruction-only with a small bundled script). No downloads or archive extraction are performed; the script uses only the Python standard library.
- Credentials
- okOnly one environment variable is required (IDFM_PRIM_API_KEY), which is necessary and proportionate for authenticating to the IDFM PRIM API. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okSkill does not request permanent presence (always: false) and does not modify other skills or system-wide settings. It runs on demand and relies on the environment-provided API key.