Mvg
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a read-only Munich public transport lookup skill, with disclosed external API use and only minor install, token, and local-state details users should notice.
This skill looks safe for normal read-only transit lookups. Before installing, be aware that queries may go to MVG/geOps services, README setup commands may pull from GitHub or install system-wide, live tracking uses an embedded provider key, and a small local session file may be created in your home directory.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your station, route, address, or coordinate lookups may be sent to third-party transit/live-tracking APIs.
The skill sends transit queries to external MVG and geOps APIs. This is disclosed and purpose-aligned, but users should know route, address, or coordinate queries may be shared with those services.
Base URL: `https://www.mvg.de/api/bgw-pt/v3/` ... S-Bahn live: `wss://api.geops.io/realtime-ws/v1/`
Use it for transport lookups as intended, and avoid entering sensitive addresses if you do not want them sent to the transit providers.
If you follow those setup commands, you may run code from a moving GitHub branch or install it system-wide.
The README documents user-directed installation from an unpinned GitHub source and an optional privileged copy into a system PATH location. These are normal CLI setup patterns, but they rely on trusting the remote source and local script.
uvx --from git+https://github.com/Lars147/mvg-cli mvg search "Marienplatz" ... sudo cp mvg_cli.py /usr/local/bin/mvg
Prefer reviewing the code, pinning a specific commit or release when possible, and avoiding sudo/system-wide installation unless you trust the source.
The live-tracking command may depend on a bundled third-party API token, which could stop working or have provider usage implications.
The live-tracking feature includes an embedded geOps API key. It is not a user credential and appears tied to the disclosed S-Bahn live feature, but it is a provider token dependency not declared in registry metadata.
GEOPS_API_KEY = "5cc87b12d7c5370001c1d655112ec5c21e0f441792cfc2fafe3e7a1e"
Treat the embedded token as part of the live-tracking integration, not as a private user secret; review provider terms if this matters to you.
The tool may keep local state in ~/.mvg_session.json between runs.
The code defines a persistent hidden session file in the user's home directory and includes load/save helpers. The provided artifacts do not show sensitive contents or exfiltration, but it is local persistent state.
SESSION_FILE = Path.home() / ".mvg_session.json" ... self._load_session() ... json.dump(self.session, f, ensure_ascii=False, indent=2)
If you want no retained local state, inspect or delete ~/.mvg_session.json after use.