Back to skill

Security audit

12306 Train Query

Security checks across malware telemetry and agentic risk

Overview

This is a query-only train-ticket skill, but it weakens HTTPS protection for live 12306 requests, so users should review it before relying on it.

Install only if you are comfortable with a simple query script that sends departure station, arrival station, and date to 12306. Do not use it for account login, purchasing, or payment. The publisher should remove the TLS bypass, require valid HTTPS certificates, and restrict redirects to expected 12306 domains before users rely on its results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill invokes a script that performs live train-ticket queries, which inherently requires network access, yet the skill metadata does not declare that capability. Undeclared network use weakens review and policy enforcement because users and the platform cannot accurately understand or constrain what external communications the skill will perform.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation text includes broad travel-related phrases such as buying tickets, checking trains, and train travel generally, which can cause the skill to trigger for requests beyond simple availability lookup. Over-broad routing can lead to unintended execution, including sending user-provided travel details to the script/network path when the user may have intended a different tool or a more sensitive booking workflow.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script disables TLS certificate validation when downloading the station mapping file from 12306. This allows a machine-in-the-middle attacker to intercept or modify the response, which can poison station codes, alter query behavior, or feed malicious/untrusted data into downstream logic while the script believes it is talking to the legitimate server.

Missing User Warnings

High
Confidence
99% confidence
Finding
The ticket query request also disables TLS certificate validation, exposing all query traffic and responses to interception and tampering. An attacker on the network path could return forged train availability data, redirect requests, or manipulate responses without detection, which is especially risky for a travel-query skill that users may rely on for planning or purchasing decisions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.insecure_tls_verification

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/train_query.js:21