12306 Train Query
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: 12306-train-query Version: 1.0.0 The script `scripts/train_query.js` implements the stated train ticket query functionality but contains security vulnerabilities. Specifically, it disables SSL certificate verification (`rejectUnauthorized: false`) when connecting to the 12306 API and fails to sanitize or URL-encode the user-provided `date` parameter before appending it to a query string. While no evidence of intentional malice or data exfiltration was found, these flaws represent significant security risks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone able to intercept the network connection could modify train station or availability results, potentially misleading travel decisions.
The script disables HTTPS certificate verification when fetching 12306 station data, and the ticket-query options also set rejectUnauthorized: false. This makes the external data source less trustworthy.
https.get(url, { rejectUnauthorized: false }, (res) => {Remove rejectUnauthorized: false and use normal HTTPS certificate validation. Avoid using this script for account login or purchases unless the TLS handling is fixed.