← 返回 Skills 市场
727
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install mvg-cli
功能描述
Munich public transport (MVG) CLI and S-Bahn live tracking. Use for departure times, route planning, nearby stations, service alerts, and real-time S-Bahn po...
安全使用建议
This skill appears to implement the MVG CLI functions it advertises, but there are several things to check before installing or running it: 1) The code contains an embedded GEOPS_API_KEY and GEOPS_ORIGIN — ask the author why a key is hardcoded, whether it is a public demo key, and what permissions that key has; treat embedded keys as sensitive. 2) The SKILL.md/README disagree about dependencies and the live-tracking implementation (Node+ws vs. Python/geOps). Ask the author to clarify required runtime components and to document any keys or persistent storage. 3) The CLI writes a session file to ~/.mvg_session.json — review the file contents after first run to ensure it does not store sensitive data. 4) If you cannot verify the geOps key or the maintainer, prefer running the CLI in a sandboxed environment or inspect the full source locally before use. If the key is intended to be private, do not use the skill until the key is removed or replaced with documentation instructing users to supply their own API key via environment variable.
功能分析
Type: OpenClaw Skill
Name: mvg-cli
Version: 0.1.0
The skill is classified as suspicious due to the use of `subprocess.run` in `mvg_cli.py` to execute a dynamically generated JavaScript file via `node`. While the JavaScript code and its arguments are currently hardcoded and serve a legitimate purpose (fetching S-Bahn live data from `api.geops.io`), this pattern introduces a significant Remote Code Execution (RCE) risk. If an attacker could modify the hardcoded JavaScript or its execution parameters (e.g., via a supply chain attack on the skill bundle), it would lead to arbitrary code execution. This is a powerful and risky capability, even if not explicitly malicious in its current, hardcoded form. Additionally, the `README.md` and `mvg_cli.py` have inconsistent dependency information regarding the `requests` library and `node`/`ws` module, though this is a minor issue.
能力评估
Purpose & Capability
Name/description match the included Python CLI code (search, departures, routes, alerts, live). However there are documentation mismatches: SKILL.md and README disagree about dependencies (SKILL.md: stdlib urllib; README: requests). SKILL.md states S-Bahn live requires Node+ws, yet the Python code contains a hardcoded geOps WebSocket API key and origin (implying direct realtime access). The presence of an embedded GEOPS_API_KEY in code is unexpected and not declared in the skill metadata.
Instruction Scope
SKILL.md tells the agent to run the included Python script and mentions Node+ws for live tracking, and otherwise stays within transit API calls. The code, however, persists session data to ~/.mvg_session.json and contains a hardcoded third‑party API key and origin for the geOps realtime service — neither of which the SKILL.md documents or declares. The skill's runtime will perform network calls to MVG and geOps endpoints and will create a persistent session file in the user's home directory.
Install Mechanism
No install spec — instruction-only skill with included code file. Nothing is downloaded or executed from arbitrary URLs during install, which keeps install risk low.
Credentials
The skill declares no required environment variables or credentials, yet the code embeds a GEOPS_API_KEY constant (looks like a private API key) and GEOPS_ORIGIN. Embedding a service key in distributed code is a red flag: the key may be unauthorized for redistribution, may grant access beyond the MVG data, or may be misused. The skill also writes a session file to the user's home directory, creating persistent state without declaring or documenting what is stored.
Persistence & Privilege
always:false and normal autonomous invocation rules apply (no elevated platform privileges). The skill does create and read a persistent session file at ~/.mvg_session.json under the user's home directory, but it does not appear to modify other agent settings or other skills' configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mvg-cli - 安装完成后,直接呼叫该 Skill 的名称或使用
/mvg-cli触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release — Munich public transport CLI with live S-Bahn tracking.
- Provides departure times, route planning, nearby stations, service alerts, and real-time S-Bahn positions via terminal commands.
- Supports filtering by transport type (U-Bahn, S-Bahn, bus, tram, regional trains, etc.).
- Fetches data using the unofficial MVG API; does not require authentication.
- S-Bahn live tracking uses geOps WebSocket connection (Node.js required for live feature).
- All commands support machine-readable JSON output.
元数据
常见问题
Mvg 是什么?
Munich public transport (MVG) CLI and S-Bahn live tracking. Use for departure times, route planning, nearby stations, service alerts, and real-time S-Bahn po... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 727 次。
如何安装 Mvg?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mvg-cli」即可一键安装,无需额外配置。
Mvg 是免费的吗?
是的,Mvg 完全免费(开源免费),可自由下载、安装和使用。
Mvg 支持哪些平台?
Mvg 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Mvg?
由 Lars147(@lars147)开发并维护,当前版本 v0.1.0。
推荐 Skills