Entur Travel

Type: OpenClaw Skill Name: entur-travel Version: 1.0.0 The `scripts/entur.py` file contains GraphQL injection vulnerabilities. The `_place_arg` function and the `cmd_departures`/`cmd_stop` commands directly insert user-controlled input (`place["id"]`, `place["name"]`, `args.stop_id`) into the GraphQL query string without proper escaping of double quotes. This allows an attacker to inject arbitrary GraphQL directives or fields, potentially leading to information disclosure or denial of service against the Entur API. There is no evidence of intentional malicious behavior such as data exfiltration, backdoor installation, or unauthorized remote control; the script's purpose aligns with its stated goal of public transit planning.