Metra Skill
v1.0.0Chicago Metra commuter rail — real-time train arrivals, vehicle tracking, service alerts, and schedule info for all 11 Metra lines serving the Chicago metrop...
⭐ 0· 426·0 current·0 all-time
byBrian Leach@brianleach
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code, README, and SKILL.md all describe a GTFS-RT + GTFS static integration and require Node.js, unzip, and an API key (METRA_API_KEY). That aligns with the skill's stated purpose. However the registry metadata provided to the platform lists no required binaries and no required env vars — an inconsistency that could mislead install-time checks.
Instruction Scope
SKILL.md and the included script keep operations within the expected scope: call Metra GTFS-RT endpoints (Bearer token auth), download/extract GTFS static into ~/.metra/gtfs/, and read that cache. The script also loads a local .env file (from the skill directory) into process.env — expected but worth noting because users may store their API key there.
Install Mechanism
There is no arbitrary remote binary download: dependencies are standard npm packages (protobufjs) and the SKILL.md asks the user to run `npm install`. This is a common, moderate-risk install mechanism (trusted registry). The package-lock shows protobufjs from the npm registry. No unusual third-party URLs or archive extraction beyond the GTFS static zip from Metra's schedule site.
Credentials
The runtime code requires a single API key (METRA_API_KEY) which is proportionate to retrieving protected GTFS-RT feeds. However the registry metadata omits this requirement entirely, which is inconsistent and could cause the platform to present incorrect permission prompts. The script also loads a local .env file and will cache static data under the user's home directory.
Persistence & Privilege
The skill does not request global 'always' presence. It will write/read a local cache directory (~/.metra/gtfs/) and may store a key in a local .env in the skill folder per the instructions. Those are normal for a data-integration skill but you should expect persistent files on disk.
What to consider before installing
What to check before installing:
- Confirm the METRA_API_KEY requirement: SKILL.md and the code require METRA_API_KEY, but the registry metadata omitted it. Don't install if the platform would grant broader secrets than this.
- Verify the external endpoints: the script uses gtfspublic.metrarr.com (GTFS-RT) and schedules.metrarail.com (static). Confirm those hosts are legitimate (they look related to Metra but double-check the GTFS-RT hostname). If unsure, open the repository link and inspect the endpoints yourself.
- Expect to run `npm install` in the skill folder (installs protobufjs from npm). Run this in a controlled environment if you audit dependencies first.
- The skill will create ~/.metra/gtfs/ and read GTFS CSV files; if you prefer no persistent files, don't install or run refresh-gtfs.
- The script reads a local .env file in the skill directory — avoid storing long-lived credentials in places you don't control, or use an agent-managed secret store instead.
- If you want higher assurance, review the full scripts/metra.mjs contents (it uses child_process.execFileSync for local unzip operations) and test the skill in a sandboxed environment first.
If you want, I can point out exact lines in scripts/metra.mjs that reference the endpoints, .env loading, unzip/exec usage, and the GTFS cache location.Like a lobster shell, security has layers — review code before you run it.
latestvk973xfcqmp0e8fq0pefnfmeed581nf7d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.