Trein
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: trein Version: 1.0.0 The skill bundle is benign. It provides instructions and metadata for installing and using the 'trein' CLI tool, which queries Dutch Railways information. All installation methods (npm, GitHub releases) are standard, and the required environment variable (NS_API_KEY) is explicitly stated and necessary for the tool's function. There is no evidence of data exfiltration, malicious execution, persistence, obfuscation, or prompt injection attempts against the OpenClaw agent in the SKILL.md file; all content is descriptive and aligned with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The CLI can use the user's NS API key to make Dutch Railways API requests.
The skill requires an NS API key and offers either environment-variable or config-file storage. This is expected for querying the NS API, but it is still credential access users should notice.
export NS_API_KEY="your-api-key"
Or create `~/.config/trein/trein.config.json`:
{ "apiKey": "your-api-key" }Use an API key intended for this purpose, avoid sharing it in chats or logs, and protect any config file that stores the key.
Installing the CLI runs third-party code locally, and that code will handle the NS API key.
The skill relies on installing an external CLI package or binary. That is central to the skill's purpose, but the artifacts do not pin a specific release or include code for review.
npm i -g trein Or download a standalone binary from [GitHub Releases](https://github.com/joelkuijper/trein/releases).
Install from the linked project or trusted package registry, consider pinning/verifying a release when possible, and keep the CLI updated from trusted sources.