Back to skill
Skillv1.0.0
ClawScan security
French Services · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 8:48 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The package contains legitimate-looking scripts for French public services (SNCF, La Poste, RATP, Open‑Meteo) but the registry metadata omits required API key environment variables declared in SKILL.md and the scripts — an incoherence worth investigating before install.
- Guidance
- This skill appears to be a straightforward aggregator of French public-service APIs and the code uses only the Python standard library and well-known service endpoints. However: (1) the registry metadata does not list the API keys the scripts require — confirm with the publisher why metadata and SKILL.md disagree before installing. (2) If you install, avoid placing API keys in plain shell profiles (~/.bashrc, ~/.zshrc) if you want them unexposed; prefer the platform's secret storage or per-workspace environment secrets rather than a repo .env in source. (3) Inspect the full, untruncated files (ensure there are no hidden network calls or obfuscated code in the truncated sections) and consider running the scripts in an isolated environment the first time. (4) If you don't need authenticated features, the meteo script works without keys. If the author updates metadata to declare required env vars and primary credential, the incoherence concern will be resolved.
Review Dimensions
- Purpose & Capability
- concernThe scripts clearly implement SNCF (Navitia), La Poste, IDFM/RATP and Open‑Meteo functionality and require API keys (SNCF_API_KEY, LAPOSTE_API_KEY, IDFM_API_KEY) per SKILL.md and references/api-setup.md. However the registry metadata lists no required environment variables or primary credential. That mismatch (code & docs expect secrets but metadata doesn't declare them) is an inconsistency that should be resolved.
- Instruction Scope
- okSKILL.md instructs running the included Python scripts and points to the included references/api-setup.md. The runtime instructions and code only call official public APIs (navitia.io, api.laposte.fr, api.open-meteo.com, prim.iledefrance-mobilites.fr), read environment variables for API keys, and format output. I saw no instructions to read arbitrary local files, traverse user home directories, or send data to unexpected endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only). The repository includes Python scripts that use only the standard library. No downloads, package installs, or extraction from external URLs are performed by an install step.
- Credentials
- concernThe number and type of environment variables required by the scripts (three API keys) are proportionate to the stated features. However the skill registry metadata does not declare these required env vars or a primary credential, which is inconsistent and could lead to accidental credential exposure (users may put keys in shell profiles or .env as suggested).
- Persistence & Privilege
- okThe skill does not request persistent/global privileges (always is false). The code does not modify other skills or system-wide agent settings and does not persist credentials itself. Normal runtime requires the process environment to contain API keys if the user wants the authenticated endpoints to work.