gotrain
v1.3.0MTA system train departures (NYC Subway, LIRR, Metro-North). Use when the user wants train times, schedules, or service alerts for MTA transit. Covers MTA Subway, LIRR, and Metro-North across the greater New York area.
⭐ 1· 2.6k·4 current·4 all-time
byGustavo Madeira Santana@gumadeiras
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description request a CLI named 'gotrain' and the skill requires the 'gotrain' binary and provides an npm install step for 'gotrain-cli' which creates that binary — this is coherent and expected for a CLI-based transit skill.
Instruction Scope
SKILL.md instructs the agent to run the gotrain CLI commands (stations, departures, alerts, fav, favs). It does not instruct the agent to read unrelated files, environment variables, or to transmit data to endpoints outside the CLI's expected behavior.
Install Mechanism
Installation is via npm (package 'gotrain-cli') which is a common and expected mechanism for providing a CLI. npm packages can run arbitrary install scripts and contain arbitrary JS, so this is a moderate-risk install method compared with no install spec or a vetted system package. The SKILL.md includes a GitHub repo which helps traceability but no homepage or publisher details are provided in the metadata.
Credentials
The skill requests no environment variables, no credentials, and no config paths — appropriate for a read-only transit query tool.
Persistence & Privilege
always is false and there are no indications the skill modifies other skills or system-wide agent settings. It is eligible for autonomous invocation by default (normal for skills) but requests no elevated persistence or privileges.
Assessment
This skill is internally consistent: it expects a 'gotrain' CLI and provides an npm package to install it. Before installing, inspect the npm package and its GitHub repository (publisher, recent commits, install scripts, and source code) because npm packages can execute arbitrary code during install. Prefer running the CLI in an isolated environment (container or VM) if you don't fully trust the publisher. Check where the CLI stores favorites or cache on your filesystem if you care about local data storage. If you need higher assurance, verify the package's SHA/signature or use a vetted distribution channel.Like a lobster shell, security has layers — review code before you run it.
latestvk976tadn5hewbvq2jpgvy4dsf97zzp1s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsgotrain
Install
Install gotrain CLI (npm)
Bins: gotrain
npm i -g gotrain-cli