ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

IDFM Journey

v0.1.6

Query Île-de-France Mobilités (IDFM) PRIM/Navitia for Paris + suburbs public transport (Île-de-France) — place resolution, journey planning, and disruptions/...

0· 2k·0 current·0 all-time
by@anthonymq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (IDFM PRIM/Navitia queries) matches the bundled script and documentation: place resolution, journeys, and disruptions. However, the registry metadata lists no required environment variables while SKILL.md and scripts/idfm.py both require IDFM_PRIM_API_KEY — an inconsistency between declared metadata and actual runtime needs.
Instruction Scope
SKILL.md instructs the agent/user to set IDFM_PRIM_API_KEY and run the included Python script. The runtime instructions are narrow: call the public Navitia endpoints, optionally print JSON, and pick place IDs. The instructions do not ask to read unrelated local files, transmit data to unknown endpoints, or collect extra system context.
Install Mechanism
No install spec or external downloads; the skill is instruction-only with a bundled Python script that uses only the standard library (urllib). Nothing is written to disk beyond the packaged files. This is a low-risk install mechanism.
!
Credentials
The script legitimately needs a single service credential (IDFM_PRIM_API_KEY) to call the Navitia API, which is proportional to purpose. The concern is the metadata/registry omission: the top-level metadata claims no required env vars while the SKILL.md and script require an API key. That mismatch could lead to accidental exposure (users won't be warned by the registry) or confusion about what to provide.
Persistence & Privilege
The skill does not request persistent/always-included presence. It does not modify other skills or system settings. Autonomous invocation is allowed (default) but not combined with other elevated privileges.
What to consider before installing
This skill appears to be a straightforward Python wrapper for the IDFM PRIM/Navitia API and only needs your IDFM_PRIM_API_KEY. Before installing: (1) note the registry metadata omits the required env var — double-check you set IDFM_PRIM_API_KEY only for this skill; (2) review the included scripts/idfm.py yourself (it only uses urllib and calls the official prim.iledefrance-mobilites.fr endpoint); (3) avoid pasting other unrelated secrets into the environment; (4) run it in an isolated environment if you are unsure (or ask the publisher to update the registry metadata to declare the required env var). If you need higher assurance, ask the owner to provide a verified homepage or more provenance for the package.

Like a lobster shell, security has layers — review code before you run it.

idfmvk97af4h47zy9zqkg35j7mtzagd80k5dxlatestvk97ay213j1jw19aqeweyn3rzmd82kerstransportvk97af4h47zy9zqkg35j7mtzagd80k5dx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments