ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

12306 Old

v1.0.2

Provides tools related to 12306 including client access and login script functionality for ticket booking automation.

0· 191·1 current·1 all-time
by@feiyang2007·duplicate of @feiyang2007/12306-conflict
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the code: the package implements a 12306 browser-automation client (login, ticket search). However registry metadata and SKILL.md claim no required env vars or binaries while the code reads RAILWAY_12306_USERNAME/RAILWAY_12306_PASSWORD and depends on Playwright/Chromium — an inconsistency between stated requirements and actual capabilities.
!
Instruction Scope
SKILL.md is auto-generated and sparse (no usage examples, references a .env.example that isn't present). The runtime code reads/writes a local cookie file (12306_cookies.json) and will launch a Chromium browser via Playwright to visit https://www.12306.cn. The instructions do not document these behaviors or where persistent data is stored.
!
Install Mechanism
There is no install spec, but the code requires the Python Playwright package and a Chromium runtime; the skill will fail unless these are present. Missing install instructions is an operational and supply-chain omission (not evidence of maliciousness, but risky and incoherent).
!
Credentials
The code expects RAILWAY_12306_USERNAME and RAILWAY_12306_PASSWORD environment variables (used for login) but the manifest lists no required env vars. Requesting those credentials would be proportionate for a login client, but the omission from metadata and lack of guidance on secure handling/persistence (cookie file saved locally) are red flags.
Persistence & Privilege
The skill does not set always:true, does not modify other skills, and only writes a local cookie file (12306_cookies.json) in its working directory. It will autonomously launch a browser when invoked, which is expected for browser automation.
What to consider before installing
This package contains Python code that automates a browser (Playwright/Chromium) to log into 12306 and save cookies to a local file. Before installing or running: - Confirm the skill author supplies an install spec (requirements and Playwright/Chromium setup) and a .env.example explaining required env vars. - Treat RAILWAY_12306_USERNAME and RAILWAY_12306_PASSWORD as sensitive: do not put real credentials in an environment you don't control. The code will also write session cookies to 12306_cookies.json in the working directory—inspect or protect that file. - Run the code in a sandboxed environment (VM/container) if you must test it, and review/verify the source for any network calls beyond https://www.12306.cn. - If the author updates the manifest to declare required env vars and provides clear install and runtime docs, the coherence concerns would be resolved; until then, avoid trusting this skill with real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cx2m8cr0ywfadfypve8e1p184dcmf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments