ClawHub

12306 Train Assistant

Security checks across malware telemetry and agentic risk

Overview

This 12306 train-ticket skill appears purpose-built, but it can perform real bookings, cancellations, payment-link generation, and persistent login storage without enough confirmation and cleanup safeguards.

Install only if you are comfortable letting this skill access your real 12306 account, passenger records, orders, and payment workflow. Use query-only commands where possible, run dry-run checks before booking, require your own explicit final confirmation before booking/canceling/paying, and delete or protect the cache, cookie, QR, and payment QR files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation includes live login and ticket-booking flows using usernames, passwords, SMS codes, passenger identities, and real order submission, but it does not require an explicit user confirmation or warn about privacy and account consequences. In this context, a user or agent could unintentionally submit real bookings or expose sensitive credentials and personal travel data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents cancellation and payment commands as ordinary actions without a mandatory confirmation warning, even though they can alter live orders, candidate reservations, and payment state. In a ticketing skill, these are high-risk transactional operations that can directly cause financial loss, loss of reservations, or unintended account activity if triggered automatically or on ambiguous user input.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The client serializes authenticated session cookies to a predictable file on disk, which can expose reusable login state to other local users, backups, or malware if filesystem permissions are weak. In a ticket-booking skill, these cookies can enable account takeover actions such as viewing personal data, booking, canceling, or initiating payments without reauthentication.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The QR login state and QR image are written to disk without clear consent or warning, creating local artifacts that may reveal authentication workflow details or be reused by someone with local access before expiration. In this skill context, the QR image is part of the login ceremony for a real 12306 account, so leaving it in temp or project directories unnecessarily increases exposure of account access material and user privacy data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal