Youbike Mcp
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a read-only YouBike lookup skill that fetches public station data; review the npm setup/provenance before installing.
This skill looks safe for its stated read-only purpose. Before installing, verify that you trust the package source and are comfortable with npm setup scripts. The runtime behavior shown fetches public YouBike data from the listed APIs and does not access credentials or local private files.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may have less ability to confirm who maintains the skill or compare it against an official repository.
The skill's provenance is limited because no upstream source or homepage is provided. This does not contradict the implementation, but users have less context for independently verifying the package.
Source: unknown Homepage: none
Review the included files and package metadata before installing, especially if using it in a sensitive environment.
Running npm install may execute the husky lifecycle command in addition to installing dependencies.
The documented npm setup can trigger npm lifecycle script execution, including the prepare script. The script is a common development hook tool and no malicious hook content is shown, but it is still code execution during local setup.
"scripts": {
"start": "node src/index.js",
"test": "node tests/test-integration.js",
"prepare": "husky"
}If you do not need development hooks, inspect scripts first or consider installing with npm script execution disabled in a controlled environment.