ClawHub

12306 Conflict

v1.0.0

Provides tools for interacting with the 12306 system, including login scripts and client utilities requiring specific environment variables.

0· 175·0 current·1 all-time
by@feiyang2007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code implements a 12306 login/search client and legitimately needs credentials and a browser automation runtime. However, the registry metadata claims no required env vars or binaries while the code reads RAILWAY_12306_USERNAME and RAILWAY_12306_PASSWORD and depends on Playwright/Chromium. This mismatch between declared requirements and actual capabilities is incoherent.
Instruction Scope
SKILL.md is autogenerated and minimal; it references a .env.example (not included) and provides no concrete runtime instructions. The actual runtime behavior (in code) performs browser automation against https://www.12306.cn, stores cookies to a local file, and uses env vars for credentials. The instructions do not request any extra unrelated system data or hidden endpoints.
!
Install Mechanism
There is no install spec yet the code requires external runtime (playwright and its browser binaries). Playwright is a heavy dependency that requires installing browser binaries; the absence of an install mechanism or declared dependencies is a practical and security concern (user may run code without knowing these requirements).
!
Credentials
The code expects sensitive credentials via environment variables (RAILWAY_12306_USERNAME and RAILWAY_12306_PASSWORD) but the package metadata lists no required env vars or primary credential. This omission prevents an informed consent decision about supplying secrets. The client also writes cookies to a local file (12306_cookies.json), which is persistent storage of authentication data.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does persist cookies to a local file and launches a browser process, which are within the scope of a web automation client but are notable persistence behaviors the user should be aware of.
What to consider before installing
This package is an automation client for the 12306 train site and the code is consistent with that purpose, but the package metadata and docs are incomplete. Before installing or running: (1) do not supply your primary account credentials until you trust the source — the code reads RAILWAY_12306_USERNAME and RAILWAY_12306_PASSWORD even though they are not declared; (2) expect to need Playwright and its Chromium binaries (install steps are not provided); (3) the client saves cookies to 12306_cookies.json in the working directory — treat that file as sensitive; (4) run the code in an isolated environment or with a throwaway account to verify behavior; (5) ask the publisher to add a proper install spec, a .env.example, and explicit required env var declarations before using with real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e8328e2xagpmjkd11n1h3hd82v1g6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments