Is anthonymq/idfm-journey-navitia safe?

https://github.com/openclaw/skills/tree/main/skills/anthonymq/idfm-journey-navitia

91
SAFE

This skill is a straightforward Paris transit planning utility that wraps the IDFM PRIM/Navitia API via a minimal stdlib-only Python script. No prompt injection, malicious code, git hooks, submodules, or canary violations were detected, and the skill's clone behavior was limited to a standard GitHub sparse checkout. The only meaningful risk is an undocumented --base-url argument that could enable API key leakage or SSRF if an attacker can influence how the agent constructs invocation commands, though no evidence of this capability was observed in the skill's own content.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW --base-url parameter enables API key exfiltration to arbitrary host -10

The Python script exposes an undocumented --base-url CLI flag with no allowlist validation. If an attacker can influence the agent's command construction (via prompt injection of a user-supplied travel query), the IDFM_PRIM_API_KEY environment variable would be sent as an HTTP header to the attacker's server. No evidence of exploitation was observed; the script only contacted prim.iledefrance-mobilites.fr during normal usage.

LOW --base-url enables SSRF from agent context -5

Absent an allowlist, the --base-url flag makes the script a general-purpose HTTP client. Paired with the apikey header, it constitutes an authenticated SSRF gadget if argument control is achievable. Risk is bounded by the agent's permission to invoke the script.

INFO Pre-clone connection to Canonical servers (Ubuntu MOTD) -10

A TLS connection to 185.125.188.57 (Canonical Ltd.) was observed before the git clone. This is caused by Ubuntu's MOTD news service firing on SSH session setup, not by any code in the skill. It is included for completeness as an unexplained external connection within the monitoring window.

INFO IDFM API key transmitted to configured endpoint -5

The IDFM_PRIM_API_KEY is read from the environment and sent in every HTTP request. Under normal use this is scoped to the official IDFM endpoint. The exposure is contingent on --base-url abuse.

INFO No prompt injection detected in SKILL.md -5

SKILL.md contains only legitimate tool invocation documentation. No hidden instructions, override attempts, invisible unicode, or persona-change directives were found. The skill description accurately represents its functionality.