火车票
v1.1.0分贝通火车预订助手,实时查询火车票、展示车次列表、预订火车票、查看订单、取消订单。Invoke when user wants to search trains, book train tickets, check train orders, or cancel train bookings.
⭐ 0· 81·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name, description, SKILL.md, and the two Python modules all implement a train-ticket search/booking flow against fenbeitong endpoints. Required binary (python3) and use of functions in scripts/fb_train_api.py are proportionate to the stated purpose.
Instruction Scope
SKILL.md explicitly instructs the agent to call functions in scripts/fb_train_api.py for search, detail, create/cancel orders. It also requires collecting sensitive passenger data (name, ID card, phone) which is necessary for booking but is sensitive and will be sent to the remote API. There is no scope creep (no unrelated filesystem or credential reading), but the instructions do transmit PII to an external service.
Install Mechanism
This is an instruction-only skill with included Python source files and no install spec; nothing is downloaded from external URLs. However the code depends on the third-party 'requests' library (not declared in SKILL.md). The lack of a package/install step means runtime must already provide required Python packages.
Credentials
The skill requests no environment variables or user credentials. API identifiers (X_APP_ID, EMP_ID) are hardcoded in the module rather than requested from the environment — not ideal for secrecy but not inconsistent with the skill's purpose. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and is user-invocable. Autonomous invocation is allowed (platform default) — consider this when feeding PII to the skill, but the setting itself is normal.
Assessment
This skill appears to do what it says: query and book train tickets via Fenbeitong's OpenAPI. Important considerations before installing or using it:
- Privacy: Booking requires passenger PII (name, ID number, phone). The skill will POST that data to https://openapiv2.fenbeitong.com (and uses app-gate.fenbeitong.com for payment links). Only proceed if you trust that external service and its data handling/privacy policy.
- Dependency: The Python code uses the 'requests' library but the skill doesn't declare installing it. Ensure the runtime environment has Python 3 and required packages available.
- Hardcoded IDs: The module contains a hardcoded X-App-Id and EMP_ID. That means the skill uses built-in credentials rather than asking you for an API key; this is not necessarily malicious but means the requests are made under those embedded identifiers.
- Autonomous calls: The adapter is designed for model function-calling. If you enable the skill for autonomous invocation, an agent could call the API (and thereby send PII) without a separate explicit confirmation each time. If you prefer interactive control, restrict invocation or require explicit confirmation before providing passenger data or creating orders.
- Trust and provenance: The skill's source/homepage is unknown. If you need stronger assurance, ask the publisher for provenance, check the Fenbeitong integration details with the company, or prefer an official integration with documented ownership.
If you understand and accept the privacy trade-offs and ensure the runtime has 'requests' installed, the skill is coherent and can be used for its intended purpose.Like a lobster shell, security has layers — review code before you run it.
latestvk9706krdh495wyrn5pce60wqh983wanm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚄 Clawdis
Binspython3