IDFM Journey
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: idfm-journey-skill Version: 0.1.6 The skill is a legitimate tool for querying the Île-de-France Mobilités (IDFM) transport API. The Python script (scripts/idfm.py) uses the standard library (urllib) to interact with official endpoints and correctly handles the API key via environment variables. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill will not work without an IDFM API key, and that key is used to authenticate requests to the transit API.
The script reads an IDFM API key from the environment and sends it as the API authentication header. This is purpose-aligned for PRIM/Navitia, but it is still credential use that users should understand, especially because the registry metadata lists no required env vars or primary credential.
self.api_key = api_key or os.environ.get("IDFM_PRIM_API_KEY") ... req.add_header("apikey", api_key)Use a dedicated IDFM PRIM key, keep it in the environment only when needed, and rotate it if it is exposed.
If someone runs the script with a malicious or mistaken --base-url value, the IDFM API key could be sent to that endpoint.
The command-line tool allows the PRIM base URL to be overridden. Because the script sends the API key on requests, using an untrusted override could send the key outside the official IDFM endpoint, although the default is the expected official service.
p.add_argument("--base-url", default=BASE_URL, help="override PRIM base URL (default: %(default)s)")Do not use --base-url except for a trusted PRIM/Navitia-compatible endpoint; keep the default official IDFM URL for normal use.