ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

train assistant

v1.0.0

分贝通火车预订助手,实时查询火车票、展示车次列表、预订火车票、查看订单、取消订单。Invoke when user wants to search trains, book train tickets, check train orders, or cancel train bookings.

0· 39·0 current·0 all-time
byfenbeitong-trip@gaogao605·duplicate of @gaogao605/trains
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (train booking) align with required binaries, included scripts, and network endpoints (openapiv2.fenbeitong.com, app-gate.fenbeitong.com). Hardcoded X-App-Id and API base URLs are consistent with a preconfigured integration for this service.
Instruction Scope
SKILL.md explicitly requires calling functions in scripts/fb_train_api.py (search, detail, create/cancel orders). Instructions are scoped to searching, viewing details, creating/cancelling orders and presenting results; they do not request unrelated system files or credentials.
Install Mechanism
No install spec; skill is instruction+scripts only and requires python3 on PATH. Nothing is downloaded or written to disk by an installer.
Credentials
No environment variables or external credentials are required, which is consistent. However, the skill collects and transmits sensitive user-provided PII (names, ID card numbers, phone numbers) to the third-party FenbeiTong endpoints as part of booking — this is expected for booking but is a privacy consideration the user should accept consciously. The code uses a hardcoded X-App-Id (not a secret) which matches the documented integration.
Persistence & Privilege
always:false and no requests to modify other skills or agent-wide config. The skill can be invoked autonomously by the agent (normal default) but it does not request permanent elevated presence.
Assessment
This skill appears to do what it claims: call FenbeiTong APIs to search, book, query, and cancel train tickets. Before installing, confirm you trust the FenbeiTong endpoints and the skill source because booking requires submitting personal data (name, ID number, phone) to those external servers. The skill does not request extra credentials or install third‑party packages, but it will make outbound HTTPS requests — avoid running it in environments where sending PII or other sensitive data to external services is unacceptable. If you need tighter control, ask the publisher for privacy/policy documentation or a means to configure your own API credentials/endpoints instead of using the hardcoded X-App-Id.

Like a lobster shell, security has layers — review code before you run it.

latestvk97amhs29v2v9xhc8vk0e06zv983wqj9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚄 Clawdis
Binspython3

Comments