Scotty - AT Public Transport Service (ÖBB)
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: oebb-scotty Version: 1.0.0 The skill bundle is benign. All scripts (`arrivals.sh`, `departures.sh`, `disruptions.sh`, `search-station.sh`, `trip.sh`) consistently interact with the specified ÖBB API endpoint (`https://fahrplan.oebb.at/bin/mgate.exe`) using `curl` and `jq` for JSON parsing. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent with harmful objectives. The `SKILL.md` and `README.md` files accurately describe the API and script functionalities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your station names, route, date, and time searches are sent to ÖBB to retrieve schedules; malformed inputs could also break the request formatting.
The helper uses curl to send user-provided route and time parameters to the disclosed ÖBB API. This is purpose-aligned and read-only, but the user’s trip query is shared with the external service and arguments are directly interpolated into the JSON request.
curl -s -X POST "https://fahrplan.oebb.at/bin/mgate.exe" ... "loc":{"name":"'"$FROM"'","type":"S"} ... "outDate":"'"$DATE"'", "outTime":"'"$TIME"'"Use this for intended public-transport lookups and avoid entering travel queries you do not want sent to ÖBB. Maintainers could improve robustness by JSON-escaping string inputs and validating numeric fields.
The skill may fail unless those local command-line tools are already installed, and users rely on their local copies of those tools.
The included helper requires bash, curl, and jq, while the registry requirements list no required binaries. This makes the dependency contract incomplete, although the helper code itself is present and readable.
#!/bin/bash ... curl -s -X POST "https://fahrplan.oebb.at/bin/mgate.exe" ... | jq
Install bash/curl/jq from trusted system package sources if needed, and the skill metadata should declare these requirements explicitly.