ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

train

v1.0.0

分贝通火车预订助手,实时查询火车票、展示车次列表、预订火车票、查看订单、取消订单。Invoke when user wants to search trains, book train tickets, check train orders, or cancel train bookings.

0· 44·0 current·0 all-time
byfenbeitong-trip@gaogao605
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (train ticket search, booking, order management) align with the included Python modules and required python3 binary. The files implement calls to fenbeitong OpenAPI endpoints and formatting functions that are appropriate for the declared capabilities.
Instruction Scope
SKILL.md insists the agent call functions in scripts/fb_train_api.py and not fabricate results; instructions are specific about which API functions to call and what to display. There are no instructions to read unrelated local files, other environment variables, or to transmit data to endpoints other than the documented fenbeitong domains.
Install Mechanism
This is an instruction-only skill with bundled Python scripts and no install script or archive downloads. No third-party install URLs or extract operations are present; risk from install mechanism is low. It requires python3 to run, which is reasonable.
Credentials
The skill requests no environment variables or platform credentials, but the code contains a hard-coded X-App-Id and EMP_ID and will send user-provided PII (names, ID numbers, phone numbers) to https://openapiv2.fenbeitong.com and https://app-gate.fenbeitong.com. This data transmission is expected for booking but is a privacy consideration—ensure you trust the remote service and its data handling.
Persistence & Privilege
always:false and no code to modify other skills or system-wide agent settings. The skill does network I/O on demand but does not request elevated or persistent platform privileges.
Assessment
This skill appears to do what it claims: it will call fenbeitong OpenAPI endpoints to search trains, create/cancel orders, and return payment/view links. Before installing, be aware that you (or your users) will need to provide personal passenger information (name, national ID, phone) which the skill sends to external fenbeitong endpoints. The code includes a hard-coded X-App-Id and EMP_ID (no secret API key), so verify you trust fenbeitong's privacy and security practices. Also ensure python3 is available in the runtime. If you need tighter privacy or auditability, ask the author how passenger data is stored, logged, or transmitted, and whether requests can be routed through a service you control or audited.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f7fcdfn6nyg33dpbsd535a183wrjk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚄 Clawdis
Binspython3

Comments