ClawHub

火车订票班次查询 - 聚合数据

v1.0.0

火车票时刻表查询。查询指定出发站到到达站的火车班次信息,包括车次号、出发/到达时间、历时、票价、余票等。使用场景:用户说"查一下北京到上海的高铁"、"帮我看看明天有哪些火车"、"从成都到重庆的动车几点出发"、"G25次列车几点到"、"下午有没有从广州到深圳的车"等。通过聚合数据(juhe.cn)API实时查询,支...

0· 117·0 current·0 all-time
byjuhe-skills@juhemcp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say it queries train schedules from 聚合数据 (juhe.cn). The skill requires python3 and a JUHE_TRAIN_KEY and the provided script indeed calls https://apis.juhe.cn/fapigw/train/query — these requirements are appropriate for the stated purpose.
Instruction Scope
SKILL.md instructs extracting stations/date, validating date range, running the included script (or calling the API endpoint directly), and formatting results. The script implements those behaviors and does not request unrelated files, credentials, or external endpoints beyond juhe.cn.
Install Mechanism
No install spec (instruction-only + a small script) — nothing is downloaded or executed during install. This is low-risk and proportionate for the skill's function.
Credentials
Only JUHE_TRAIN_KEY is required which matches the API usage. Notes: passing the key via --key can expose it in process listings; placing the key in scripts/.env or an environment variable may expose it to other local users/processes. The script also includes the API key in a GET query string (URL) when calling the API, which can be logged by local proxies or network appliances — consider this when deciding where to store the key.
Persistence & Privilege
always is false and the skill does not request to persist or modify other skills or system-wide configuration. The skill only reads a local .env file and environment variables for its own API key, which is normal for a simple CLI script.
Assessment
This skill appears to do exactly what it claims: query juhe.cn for train schedules. Before installing or using it: - Only provide a JUHE_TRAIN_KEY you trust and obtained from juhe.cn. Treat the key like a secret. - Avoid passing the key on the command line (--key) on multi-user systems because command-line arguments can be visible to other users via process listings. Use an environment variable or a .env file with restrictive permissions instead. - Be aware the script sends the key as a URL query parameter (GET) to the juhe API — that may be recorded by intermediate proxies or logs. If that is a concern, consider modifying the script to send the key in a POST body or an Authorization header. - Review the script before running it if you obtained the skill from an untrusted source. The network calls go to juhe.cn over HTTPS (expected), and there are no other external endpoints or hidden behaviors in the provided files. - Monitor your juhe.cn usage/quota and rotate the key if you stop using the skill or suspect compromise.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f1sy42186kve955xedk02k983mzaq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚄 Clawdis
Binspython3
EnvJUHE_TRAIN_KEY
Primary envJUHE_TRAIN_KEY

Comments