Trein extended
Security checks across malware telemetry and agentic risk
Overview
This is a coherent Dutch train-information skill that installs and uses the trein CLI with an NS API key, with only normal install, credential, and local-storage cautions.
Before installing, confirm you trust the trein npm package or GitHub release, set the NS_API_KEY securely, and be aware that route queries go through the NS service while any configured aliases or local config may remain on your machine.
VirusTotal
58/58 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill depends on trusting the upstream npm package or GitHub release for the trein executable.
The skill installs an external CLI package or downloads latest-release binaries without a pinned version or checksum in the artifact.
npm i -g trein ... "url":"https://github.com/joelkuijper/trein/releases/latest/download/trein-linux-x64"
Install only from the expected upstream source, review the package or release if possible, and prefer pinned versions or checksums where available.
The CLI can make NS API requests using the user's key, which may affect API quota or expose the key if stored insecurely.
The skill requires an NS API key, which is appropriate for accessing the Dutch Railways API but is still a credential.
requires":{"bins":["trein"],"env":["NS_API_KEY"]} ... export NS_API_KEY="your-api-key"Use a dedicated NS API key, keep it out of shared logs and screenshots, and rotate it if it may have been exposed.
On a shared or poorly protected machine, local config or aliases could reveal an API key or personal station patterns such as home and work.
The skill documents persistent local configuration and station aliases, which can store a credential and personal travel-related locations.
Or create `~/.config/trein/trein.config.json`: { "apiKey": "your-api-key" } ... trein alias set home "Amsterdam Centraal"Store the config file with appropriate file permissions and only create aliases that you are comfortable persisting locally.