NS Trains
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to be a straightforward Dutch train schedule helper that uses a declared NS API key only for the official NS API.
This looks safe for its stated purpose. Before installing, make sure you are comfortable sending station and route queries to the official NS API, keep NS_SUBSCRIPTION_KEY private, and only configure NS_HOME_STATION or NS_WORK_STATION if you are comfortable storing those commute locations in your environment.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your NS subscription key will be used to make train-information requests to the NS API, and those requests may count against your API quota.
The skill reads an API key from the environment and uses it for authenticated NS API requests. This is disclosed and purpose-aligned, but it is still credential use.
const key = process.env.NS_SUBSCRIPTION_KEY || process.env.NS_API_KEY; ... 'Ocp-Apim-Subscription-Key': subscriptionKey
Provide the key through a secret manager or runtime environment variable, avoid committing it to files, and rotate it if it is exposed.