12306 Train Query
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its train-ticket lookup purpose, but its script disables HTTPS certificate checks when contacting 12306, which can let network attackers tamper with results.
Use caution before installing. The skill appears to be a straightforward 12306 availability checker, but its HTTPS validation should be fixed before relying on the results. Do not provide account credentials or use it for purchasing unless the code is updated and reviewed.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone able to intercept the network connection could modify train station or availability results, potentially misleading travel decisions.
The script disables HTTPS certificate verification when fetching 12306 station data, and the ticket-query options also set rejectUnauthorized: false. This makes the external data source less trustworthy.
https.get(url, { rejectUnauthorized: false }, (res) => {Remove rejectUnauthorized: false and use normal HTTPS certificate validation. Avoid using this script for account login or purchases unless the TLS handling is fixed.