UK Trains
PassAudited by ClawScan on May 1, 2026.
Overview
This skill coherently queries UK rail timetable APIs; the main thing to notice is that it needs a National Rail API token, which the registry metadata does not fully declare.
This skill appears safe for its stated purpose. Before installing, be aware that it needs a National Rail API token despite the registry metadata saying no credential is required. Prefer a dedicated token, avoid untrusted Huxley2 endpoint overrides, and revoke the token if you believe it was exposed.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you use the Bash helper, your National Rail token is sent to the default Huxley2 service or to whatever endpoint you configure with HUXLEY_URL.
The shell helper uses the National Rail token and appends it to requests sent to the configured Huxley2 endpoint. This is expected for the rail-data integration, but it is still credential handling that users should notice.
HUXLEY_BASE="${HUXLEY_URL:-https://huxley2.azurewebsites.net}"
TOKEN="${NATIONAL_RAIL_TOKEN:-}"
...
url="${url}?accessToken=${TOKEN}"Use a dedicated, revocable National Rail token; keep it in a private environment variable; and do not set HUXLEY_URL to an endpoint you do not trust.
The registry summary may make the skill look like it has no credential or runtime requirements, even though setup requires a National Rail token and some helpers rely on local CLI tools.
The registry metadata does not advertise the API token and helper prerequisites that are described in SKILL.md and used by the scripts. Because the token is purpose-aligned and disclosed in the skill instructions, this is a declaration gap rather than hidden behavior.
Required binaries (all must exist): none Required env vars: none Env var declarations: none Primary credential: none Install specifications: No install spec — this is an instruction-only skill.
Review the SKILL.md setup before use and ensure the required token and local tools are intentionally provided.