ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

12306 Backup

v1.0.0

Query China Railway 12306 for train schedules, remaining tickets, and station info. Use when user asks about train/高铁/火车 tickets, schedules, or availability...

0· 27·0 current·0 all-time
bysteve xia@danihe001·fork of @kirorab/12306 (1.0.2)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and the two JS scripts all focus on querying 12306, parsing results, and producing HTML/MD/JSON output. The only required binary is node, which is appropriate for the provided Node.js scripts.
Instruction Scope
Runtime instructions only run the included scripts. The scripts fetch data from 12306 domains, parse and filter results, and write cache/output files under the skill's data path — all within the described scope. No unrelated files, system credentials, or external endpoints are accessed.
Install Mechanism
This is an instruction-only skill with included scripts and no install spec. No downloads from third-party URLs or archive extraction are performed by the skill itself.
Credentials
The skill requires no environment variables or credentials. It only needs Node.js runtime; no unexpected secret access is requested.
Persistence & Privilege
always is false and the skill does not request permanent platform privileges. It caches station data and writes output files under its own data path only, which is expected behavior.
Assessment
Functionally and security-wise the skill is coherent with its purpose: it fetches data from official 12306 endpoints and caches station data locally, and it does not request secrets. Before installing, however, verify the skill's provenance (source/homepage is unknown here) and run it in a trusted/isolated environment if you don't trust the author. Also ensure you have Node.js >=18 (the code uses global fetch) and be aware the scripts will create/overwrite files under the skill's data directory and any output paths you provide. If you need higher assurance, review the included scripts locally (they are short and readable) or run them with network monitoring to confirm they only contact 12306 domains.
!
scripts/stations.mjs:3
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk9749vxkz2abq0bp8cps66rzvs849erm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚄 Clawdis
Binsnode

Comments