v1.1.0

NS Trains

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:12 AM.

Analysis

This skill appears to do what it says: it uses an NS API key to query official Dutch train information, with no hidden destinations, file writes, persistence, or account-changing behavior shown.

GuidanceBefore installing, make sure you are comfortable providing an NS API subscription key and optional home/work station names for commute shortcuts. The provided code confines network requests to the official NS API gateway and does not show file writes or hidden persistence.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/ns-api.mjs

const key = process.env.NS_SUBSCRIPTION_KEY || process.env.NS_API_KEY; ... 'Ocp-Apim-Subscription-Key': subscriptionKey

The skill reads an NS API credential from the environment and uses it as the subscription header for NS API requests. This is purpose-aligned and disclosed, but users should treat the key as a secret.

User impactThe skill can use your NS API subscription key to make train-information requests, which could consume your API quota if overused.

RecommendationUse a dedicated NS API key, provide it through a secret manager or runtime environment variable, avoid printing or committing it, and rotate it if exposed.