Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Deutsche Bahn CLI

v1.0.0

Search Deutsche Bahn train connections using the bahn-cli tool. Use when you need to find train connections between German stations, check departure times, or help with travel planning. Works with station names like "Berlin Hbf", "München", "Hannover".

0· 2.1k·0 current·1 all-time
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md clearly describes using a bahn-cli tool to search Deutsche Bahn connections, which matches the name and description. However, the skill metadata declares no required binaries while the instructions assume node and npm are available and assume the code lives at a hard-coded path (~/Code/bahn-cli). The homepage/source are missing, so it's unclear where bahn-cli comes from.
!
Instruction Scope
The runtime instructions tell the agent to cd into ~/Code/bahn-cli, run npm install there, and execute node index.js. That means the agent will run arbitrary local JavaScript code and may download packages from npm. The instructions do not include verification steps (no checksum, repo URL, or provenance), so executing them could run untrusted code on the host.
Install Mechanism
There is no formal install spec in the registry; the SKILL.md expects a manual npm install inside a local path. This is a common developer workflow but relies on the local repo existing and on npm packages from the registry. Because the skill's source/homepage are not provided, the install origin is unknown.
Credentials
The skill requests no environment variables or credentials, which is appropriate. One minor inconsistency: required runtime binaries (node, npm) are used in the instructions but not declared in the registry metadata.
Persistence & Privilege
The skill does not request always:true and does not declare modifying other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other high privileges in this skill.
What to consider before installing
This skill is plausible for searching DB connections, but it assumes and executes local/unverified code. Before installing or invoking it: (1) ask for the official repository or npm package name and verify the source (GitHub or an official release), (2) ensure node/npm are installed and consider running npm install in an isolated environment (container or VM), (3) inspect package.json and lockfile for suspicious dependencies (and audit db-vendo-client), (4) avoid running node index.js in ~/Code/bahn-cli unless you trust that directory, and (5) if you want to reduce risk, request the skill be packaged with an explicit install spec (trusted release URL or published npm package) and declared runtime binaries. If you are uncomfortable running unverified code, do not install or invoke this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97268q0xxbb0d8cj15eh9snhs7zzffx
2.1kdownloads
0stars
1versions
Updated 16h ago
v1.0.0
MIT-0

Deutsche Bahn CLI

Search train connections using the bahn-cli tool.

Installation

The tool should be installed globally or in the workspace. If not installed:

cd ~/Code/bahn-cli && npm install

Usage

Search train connections:

cd ~/Code/bahn-cli && node index.js search "<from>" "<to>" [options]

Options

  • --date YYYY-MM-DD - Departure date (default: today)
  • --time HH:MM - Departure time (default: current time)
  • --results <number> - Number of results to show (default: 5)

Examples

Search connections from Hannover to Bonn:

cd ~/Code/bahn-cli && node index.js search "Hannover Hbf" "Bonn Hbf" --results 3

Search with specific date and time:

cd ~/Code/bahn-cli && node index.js search "Berlin" "München" --date 2026-02-05 --time 14:30

Station Names

  • Use common German station names
  • "Hbf" means Hauptbahnhof (main station)
  • Examples: "Berlin Hbf", "München Hbf", "Frankfurt(Main)Hbf", "Köln Hbf"
  • Station names are case-insensitive

Output

The tool shows:

  • Departure and arrival times
  • Platform numbers
  • Duration
  • Number of changes
  • Intermediate stops for connections with changes
  • Train numbers (ICE, IC, RE, etc.)

Notes

  • The CLI uses the db-vendo-client library
  • Some station names in output may show "undefined" (cosmetic issue, doesn't affect functionality)
  • Direct connections are listed first
  • Times are in 24-hour format

Comments

Loading comments...