Munich public transport (MVG) CLI and S-Bahn live tracking. Use for departure times, route planning, nearby stations, service alerts, and real-time S-Bahn po...
Security Analysis
medium confidenceThe skill largely matches its stated MVG/transport purpose, but there are multiple incoherences (embedded geOps API key not declared, documentation mismatches, and a session file written to the home directory) that warrant caution before installing.
Name/description match the included Python CLI code (search, departures, routes, alerts, live). However there are documentation mismatches: SKILL.md and README disagree about dependencies (SKILL.md: stdlib urllib; README: requests). SKILL.md states S-Bahn live requires Node+ws, yet the Python code contains a hardcoded geOps WebSocket API key and origin (implying direct realtime access). The presence of an embedded GEOPS_API_KEY in code is unexpected and not declared in the skill metadata.
SKILL.md tells the agent to run the included Python script and mentions Node+ws for live tracking, and otherwise stays within transit API calls. The code, however, persists session data to ~/.mvg_session.json and contains a hardcoded third‑party API key and origin for the geOps realtime service — neither of which the SKILL.md documents or declares. The skill's runtime will perform network calls to MVG and geOps endpoints and will create a persistent session file in the user's home directory.
No install spec — instruction-only skill with included code file. Nothing is downloaded or executed from arbitrary URLs during install, which keeps install risk low.
The skill declares no required environment variables or credentials, yet the code embeds a GEOPS_API_KEY constant (looks like a private API key) and GEOPS_ORIGIN. Embedding a service key in distributed code is a red flag: the key may be unauthorized for redistribution, may grant access beyond the MVG data, or may be misused. The skill also writes a session file to the user's home directory, creating persistent state without declaring or documenting what is stored.
always:false and normal autonomous invocation rules apply (no elevated platform privileges). The skill does create and read a persistent session file at ~/.mvg_session.json under the user's home directory, but it does not appear to modify other agent settings or other skills' configs.
Guidance
This skill appears to implement the MVG CLI functions it advertises, but there are several things to check before installing or running it: 1) The code contains an embedded GEOPS_API_KEY and GEOPS_ORIGIN — ask the author why a key is hardcoded, whether it is a public demo key, and what permissions that key has; treat embedded keys as sensitive. 2) The SKILL.md/README disagree about dependencies and the live-tracking implementation (Node+ws vs. Python/geOps). Ask the author to clarify required runtime components and to document any keys or persistent storage. 3) The CLI writes a session file to ~/.mvg_session.json — review the file contents after first run to ensure it does not store sensitive data. 4) If you cannot verify the geOps key or the maintainer, prefer running the CLI in a sandboxed environment or inspect the full source locally before use. If the key is intended to be private, do not use the skill until the key is removed or replaced with documentation instructing users to supply their own API key via environment variable.
Latest Release
v0.1.0
Initial release — Munich public transport CLI with live S-Bahn tracking. - Provides departure times, route planning, nearby stations, service alerts, and real-time S-Bahn positions via terminal commands. - Supports filtering by transport type (U-Bahn, S-Bahn, bus, tram, regional trains, etc.). - Fetches data using the unofficial MVG API; does not require authentication. - S-Bahn live tracking uses geOps WebSocket connection (Node.js required for live feature). - All commands support machine-readable JSON output.
More by @Lars147
Published by @Lars147 on ClawHub
