← Back to Skills Marketplace
727
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install mvg-cli
Description
Munich public transport (MVG) CLI and S-Bahn live tracking. Use for departure times, route planning, nearby stations, service alerts, and real-time S-Bahn po...
Usage Guidance
This skill appears to implement the MVG CLI functions it advertises, but there are several things to check before installing or running it: 1) The code contains an embedded GEOPS_API_KEY and GEOPS_ORIGIN — ask the author why a key is hardcoded, whether it is a public demo key, and what permissions that key has; treat embedded keys as sensitive. 2) The SKILL.md/README disagree about dependencies and the live-tracking implementation (Node+ws vs. Python/geOps). Ask the author to clarify required runtime components and to document any keys or persistent storage. 3) The CLI writes a session file to ~/.mvg_session.json — review the file contents after first run to ensure it does not store sensitive data. 4) If you cannot verify the geOps key or the maintainer, prefer running the CLI in a sandboxed environment or inspect the full source locally before use. If the key is intended to be private, do not use the skill until the key is removed or replaced with documentation instructing users to supply their own API key via environment variable.
Capability Analysis
Type: OpenClaw Skill
Name: mvg-cli
Version: 0.1.0
The skill is classified as suspicious due to the use of `subprocess.run` in `mvg_cli.py` to execute a dynamically generated JavaScript file via `node`. While the JavaScript code and its arguments are currently hardcoded and serve a legitimate purpose (fetching S-Bahn live data from `api.geops.io`), this pattern introduces a significant Remote Code Execution (RCE) risk. If an attacker could modify the hardcoded JavaScript or its execution parameters (e.g., via a supply chain attack on the skill bundle), it would lead to arbitrary code execution. This is a powerful and risky capability, even if not explicitly malicious in its current, hardcoded form. Additionally, the `README.md` and `mvg_cli.py` have inconsistent dependency information regarding the `requests` library and `node`/`ws` module, though this is a minor issue.
Capability Assessment
Purpose & Capability
Name/description match the included Python CLI code (search, departures, routes, alerts, live). However there are documentation mismatches: SKILL.md and README disagree about dependencies (SKILL.md: stdlib urllib; README: requests). SKILL.md states S-Bahn live requires Node+ws, yet the Python code contains a hardcoded geOps WebSocket API key and origin (implying direct realtime access). The presence of an embedded GEOPS_API_KEY in code is unexpected and not declared in the skill metadata.
Instruction Scope
SKILL.md tells the agent to run the included Python script and mentions Node+ws for live tracking, and otherwise stays within transit API calls. The code, however, persists session data to ~/.mvg_session.json and contains a hardcoded third‑party API key and origin for the geOps realtime service — neither of which the SKILL.md documents or declares. The skill's runtime will perform network calls to MVG and geOps endpoints and will create a persistent session file in the user's home directory.
Install Mechanism
No install spec — instruction-only skill with included code file. Nothing is downloaded or executed from arbitrary URLs during install, which keeps install risk low.
Credentials
The skill declares no required environment variables or credentials, yet the code embeds a GEOPS_API_KEY constant (looks like a private API key) and GEOPS_ORIGIN. Embedding a service key in distributed code is a red flag: the key may be unauthorized for redistribution, may grant access beyond the MVG data, or may be misused. The skill also writes a session file to the user's home directory, creating persistent state without declaring or documenting what is stored.
Persistence & Privilege
always:false and normal autonomous invocation rules apply (no elevated platform privileges). The skill does create and read a persistent session file at ~/.mvg_session.json under the user's home directory, but it does not appear to modify other agent settings or other skills' configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mvg-cli - After installation, invoke the skill by name or use
/mvg-cli - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release — Munich public transport CLI with live S-Bahn tracking.
- Provides departure times, route planning, nearby stations, service alerts, and real-time S-Bahn positions via terminal commands.
- Supports filtering by transport type (U-Bahn, S-Bahn, bus, tram, regional trains, etc.).
- Fetches data using the unofficial MVG API; does not require authentication.
- S-Bahn live tracking uses geOps WebSocket connection (Node.js required for live feature).
- All commands support machine-readable JSON output.
Metadata
Frequently Asked Questions
What is Mvg?
Munich public transport (MVG) CLI and S-Bahn live tracking. Use for departure times, route planning, nearby stations, service alerts, and real-time S-Bahn po... It is an AI Agent Skill for Claude Code / OpenClaw, with 727 downloads so far.
How do I install Mvg?
Run "/install mvg-cli" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Mvg free?
Yes, Mvg is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Mvg support?
Mvg is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Mvg?
It is built and maintained by Lars147 (@lars147); the current version is v0.1.0.
More Skills