ClawHub

NYC MTA Transit

PassAudited by ClawScan on May 10, 2026.

Overview

The skill appears aligned with its NYC transit purpose, but it uses an MTA bus API key, installs an npm dependency, and caches transit data locally.

Before installing, expect to run npm install, provide an MTA_BUS_API_KEY only if you want bus predictions, and allow the skill to cache GTFS transit data under ~/.mta/gtfs. Keep unrelated secrets out of the skill's .env file.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Your MTA BusTime API key may be used in requests to MTA's bus API when you ask for bus predictions.

Why it was flagged

The script reads an API key from the environment for the MTA BusTime service, which is expected for bus-arrival functionality but still gives the skill access to a credential.

Skill content
const MTA_BUS_API_KEY = process.env.MTA_BUS_API_KEY || ''; ... const BUS_SIRI_BASE = 'https://bustime.mta.info/api/siri';
Recommendation

Use only a free MTA BusTime key for this skill, and avoid placing unrelated secrets in the skill's .env file.

NoteMedium Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing dependencies may run standard npm package install scripts from the dependency chain.

Why it was flagged

The documented npm setup installs protobufjs, and the lockfile indicates that dependency has an install script. This is common and purpose-aligned for protobuf decoding, but it is still third-party install-time code.

Skill content
"node_modules/protobufjs": { "version": "7.5.4", ... "hasInstallScript": true
Recommendation

Install from the published lockfile or trusted repository, and review dependency changes before updating.

NoteMedium Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

A tampered GTFS download could cause inaccurate stop or route lookup results.

Why it was flagged

The skill downloads official GTFS static data over HTTP and caches it locally. The code comments disclose this, but unencrypted transit data could be modified in transit and affect route or stop results.

Skill content
const GTFS_STATIC_URL = 'http://web.mta.info/developers/data/nyct/subway/google_transit.zip';
const GTFS_DIR = path.join(os.homedir(), '.mta', 'gtfs');
Recommendation

Refresh the GTFS cache on a trusted network and prefer verified or HTTPS sources if MTA provides them in the future.