ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A nach B - AT Public Transport Service (VOR)

v1.0.0

Austrian public transport (VOR AnachB) for all of Austria. Query real-time departures, search stations/stops, plan routes between locations, and check service disruptions. Use when asking about Austrian trains, buses, trams, metro (U-Bahn), or directions involving public transport in Austria.

0· 1.8k·0 current·0 all-time
by@manmal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Austrian public transport queries) align with the included scripts: search.sh, departures.sh, route.sh, disruptions.sh all POST to a HAFAS endpoint and parse responses. One minor mismatch: the scripts require curl and jq to run, but the skill's metadata declares no required binaries.
Instruction Scope
SKILL.md and the scripts confine behavior to constructing HAFAS JSON requests and calling the documented API endpoint. They do not read user files, environment secrets, or send data to third-party endpoints beyond the single HAFAS demo host. Output formatting is local (jq).
Install Mechanism
No install spec (instruction-only with shell scripts) — lowest-risk deployment model. The code is plain shell + jq usage; nothing is downloaded or extracted during install.
Credentials
The skill does not request environment variables, credentials, or config paths. The code includes a hard-coded client/auth object (client id VAO, auth aid 'nextgen') that appears non-secret and is consistent with demo usage.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not modify system or other skills' configs, and requires no special privileges.
Assessment
This skill appears coherent and only makes network calls to a HAFAS demo endpoint. Before installing, note: (1) the scripts require curl and jq on PATH — install those if missing; (2) the endpoint used is 'vao.demo.hafas.de' (a demo host) rather than an official production API — expect rate limits or different behaviour; (3) the source/publisher is unknown and there's no homepage — if you need a production-grade or trusted integration, verify the provider or replace the endpoint/credentials with official ones; (4) the scripts do not access local secrets or files, but they will send queries you provide (station names/IDs) over the network, so run them in a network-restricted/sandboxed environment if you are concerned. Overall the skill is internally consistent with low risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cyt3qa9sfkbrxhr8n0s2xpn7yxgbp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments