Metra Skill
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a disclosed Metra transit-data skill, with expected API-key, npm dependency, and local schedule-cache behavior that users should notice before installing.
Before installing, be aware that this skill needs Node/npm dependencies, a Metra API key, and a local GTFS cache under ~/.metra/gtfs. These behaviors match the transit-data purpose, but the registry metadata under-declares some setup details, so review the README/SKILL.md setup steps and keep unrelated secrets out of the skill's .env file.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Metra API key will be available to the script and used for requests to Metra's realtime data service.
The script declares that it uses a user-provided Metra API key and sends it to Metra's realtime feed endpoint for authentication.
Environment variables: METRA_API_KEY ... External endpoints: gtfspublic.metrarr.com (GTFS-RT, Bearer token auth)
Use a dedicated Metra API key, keep it scoped to this service, and do not store unrelated secrets in the skill's .env file.
Installing dependencies may execute standard npm package installation logic from a third-party package.
The documented npm install pulls a third-party protobuf dependency that has an install script; this is expected for decoding GTFS-RT protobuf data, but it is still supply-chain-relevant.
"node_modules/protobufjs": { "version": "7.5.4", "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz", "hasInstallScript": trueInstall from the published package-lock, review dependency provenance if your environment is sensitive, and consider npm install options that disable lifecycle scripts if compatible.
Running the refresh command writes public transit schedule files into your home directory for later lookups.
The skill documents a user-run maintenance command that downloads and extracts Metra schedule data into a local cache.
On first use, run `node scripts/metra.mjs refresh-gtfs` to download and extract the static GTFS data ... to `~/.metra/gtfs/`.
Run the refresh command only when you want to update the local Metra schedule cache, and verify it writes only to ~/.metra/gtfs.