IDFM Journey
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it claims—query the IDFM/Navitia transit API—but it uses an IDFM API key and includes a manual endpoint override that users should keep pointed at the official service.
This skill is reasonable to install if you intend to query Île-de-France Mobilités routes and disruptions. Before using it, create or use a dedicated IDFM PRIM API key, understand that your route/place queries are sent to IDFM/Navitia, and avoid changing the --base-url option unless you fully trust the target endpoint.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill will not work without an IDFM API key, and that key is used to authenticate requests to the transit API.
The script reads an IDFM API key from the environment and sends it as the API authentication header. This is purpose-aligned for PRIM/Navitia, but it is still credential use that users should understand, especially because the registry metadata lists no required env vars or primary credential.
self.api_key = api_key or os.environ.get("IDFM_PRIM_API_KEY") ... req.add_header("apikey", api_key)Use a dedicated IDFM PRIM key, keep it in the environment only when needed, and rotate it if it is exposed.
If someone runs the script with a malicious or mistaken --base-url value, the IDFM API key could be sent to that endpoint.
The command-line tool allows the PRIM base URL to be overridden. Because the script sends the API key on requests, using an untrusted override could send the key outside the official IDFM endpoint, although the default is the expected official service.
p.add_argument("--base-url", default=BASE_URL, help="override PRIM base URL (default: %(default)s)")Do not use --base-url except for a trusted PRIM/Navitia-compatible endpoint; keep the default official IDFM URL for normal use.