Trein
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The CLI can use the user's NS API key to make Dutch Railways API requests.
The skill requires an NS API key and offers either environment-variable or config-file storage. This is expected for querying the NS API, but it is still credential access users should notice.
export NS_API_KEY="your-api-key"
Or create `~/.config/trein/trein.config.json`:
{ "apiKey": "your-api-key" }Use an API key intended for this purpose, avoid sharing it in chats or logs, and protect any config file that stores the key.
Installing the CLI runs third-party code locally, and that code will handle the NS API key.
The skill relies on installing an external CLI package or binary. That is central to the skill's purpose, but the artifacts do not pin a specific release or include code for review.
npm i -g trein Or download a standalone binary from [GitHub Releases](https://github.com/joelkuijper/trein/releases).
Install from the linked project or trusted package registry, consider pinning/verifying a release when possible, and keep the CLI updated from trusted sources.