ClawHub

12306 Train Booking

Security checks across malware telemetry and agentic risk

Overview

This train-ticket booking skill can control a phone and submit real orders, but its safety boundaries are inconsistent and under-scoped.

Install only if you are comfortable giving an agent broad Android automation authority for a live ticketing account. Before use, require a dry run, keep payment and fingerprint steps manual, demand explicit confirmation before any order submission, and avoid using it on a device showing unrelated personal or financial apps.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
self._prefix = ["adb"] + (["-s", device] if device else [])

    def shell(self, cmd: str, timeout: int = 30) -> str:
        r = subprocess.run(self._prefix + ["shell", cmd],
                          capture_output=True, text=True, timeout=timeout)
        return r.stdout.strip()
Confidence
96% confidence
Finding
r = subprocess.run(self._prefix + ["shell", cmd], capture_output=True, text=True, timeout=timeout)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def screenshot(self, path: str = "/tmp/adb_screenshot.png"):
        self.shell("screencap -p /sdcard/adb_scr.png")
        subprocess.run(self._prefix + ["pull", "/sdcard/adb_scr.png", path],
                      capture_output=True, text=True, timeout=10)
        return path
Confidence
91% confidence
Finding
subprocess.run(self._prefix + ["pull", "/sdcard/adb_scr.png", path], capture_output=True, text=True, timeout=10)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README contradicts the stated skill contract by directing users to use uiautomator2/AccessibilityService for core interactions even though the skill metadata says screen interaction must go through the appium-android-adb bridge. That mismatch is dangerous because it can bypass expected control boundaries, review assumptions, and auditability for a high-impact workflow that submits real ticket orders.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The documentation states fingerprint verification is a mandatory physical boundary, but also claims a successful ticket booking, creating ambiguity about where automation really stops. In a purchasing workflow, misleading claims about an authentication boundary can cause operators to overtrust the skill, misunderstand its capability, or mask attempts to automate beyond intended safeguards.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document explicitly says raw ADB must never be used on 12306, yet the decision tree later instructs using `adb shell monkey` when the app is not foregrounded. Contradictory operational guidance increases the chance an agent will bypass the intended safer bridge and execute direct ADB commands on a live user device.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Although the skill states that all 12306 screen interaction must use the Appium bridge, the Files section authorizes `adb_helper.py` for pre-Appium checks or native-only pages. This broadens the effective attack surface and undermines the safety claim, making it easier for an agent to justify direct low-level device automation in the same workflow.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements broad raw ADB interaction primitives even though the skill description says raw ADB commands must never be used on 12306. This mismatch undermines the safety boundary promised by the skill and enables device-wide automation beyond the intended appium/uiautomator2-only interaction model, including taps, swipes, key events, app launching, shell commands, and text injection.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module documentation says WebView interaction should use uiautomator2 because ADB touches are filtered, yet the code includes `tap_motion` and `fast_drag` helpers described as working on some WebViews. This inconsistency invites unsafe or unsupported interaction patterns, which can cause unreliable automation and bypass the documented safety model for a sensitive booking workflow.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
`launch_app` accepts any package name and can start arbitrary Android applications, which exceeds the declared scope of a 12306-specific booking helper. In an agent context, this broadens the attack surface from a single booking app to the whole device, enabling misuse for unrelated app interaction or phishing-style app launching.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to automate ticket booking, passenger selection, and order submission without prominent warnings that these actions affect live account and order state and may be irreversible or financially consequential. In this context, the skill is more dangerous because it targets a real consumer booking app and directly drives purchase-related actions, increasing the chance of accidental orders, wrong passenger selection, or unintended charges.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow directs the agent to verify details and then tap "提交订单" without requiring an explicit user confirmation immediately before placing the order. Submitting a booking is a consequential real-world action that can create financial liability, reserve inventory, and trigger downstream payment or cancellation issues if performed incorrectly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The UI hierarchy is written to a fixed local file `/tmp/adb_ui.xml`, which may contain sensitive on-screen data such as names, travel details, or account information. Using a predictable path increases the chance of unintended exposure, stale-data reuse, or tampering by other local processes on shared systems.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The screenshot function stores full device screen contents on disk, and screen captures from a train-booking app can include personal data, itinerary details, login state, or payment information. Persisting such images locally without constrained storage, retention, or disclosure materially increases privacy and data-leakage risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal