Scotty - AT Public Transport Service (ÖBB)
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your station names, route, date, and time searches are sent to ÖBB to retrieve schedules; malformed inputs could also break the request formatting.
The helper uses curl to send user-provided route and time parameters to the disclosed ÖBB API. This is purpose-aligned and read-only, but the user’s trip query is shared with the external service and arguments are directly interpolated into the JSON request.
curl -s -X POST "https://fahrplan.oebb.at/bin/mgate.exe" ... "loc":{"name":"'"$FROM"'","type":"S"} ... "outDate":"'"$DATE"'", "outTime":"'"$TIME"'"Use this for intended public-transport lookups and avoid entering travel queries you do not want sent to ÖBB. Maintainers could improve robustness by JSON-escaping string inputs and validating numeric fields.
The skill may fail unless those local command-line tools are already installed, and users rely on their local copies of those tools.
The included helper requires bash, curl, and jq, while the registry requirements list no required binaries. This makes the dependency contract incomplete, although the helper code itself is present and readable.
#!/bin/bash ... curl -s -X POST "https://fahrplan.oebb.at/bin/mgate.exe" ... | jq
Install bash/curl/jq from trusted system package sources if needed, and the skill metadata should declare these requirements explicitly.