Railway 12306
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to be a benign train-ticket lookup helper that queries the public 12306 endpoint, with no evidence of login, storage, purchase actions, or data exfiltration.
This looks safe for public train-ticket availability lookups. Be aware that it contacts 12306 with your route/date, requires Node.js despite no binary declaration, and some documented price-comparison and helper-script features appear incomplete.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your queried stations and travel date will be sent to 12306 to retrieve ticket availability.
The script sends the user’s route and date query to the public 12306 HTTPS endpoint, which is expected for the ticket-query purpose and is disclosed by the skill.
const baseUrl = 'https://kyfw.12306.cn/otn/leftTicket/query'; ... https.get(url, options, (res) => {Use it for intended public ticket lookups and avoid entering unrelated sensitive information.
Some documented workflows may fail or depend on undeclared local tools, especially lunar-date conversion and helper script examples.
The instructions reference another skill, a hard-coded local path, and helper/reference files that are not all included in the provided manifest; this is a completeness/provenance issue, not evidence of malicious behavior.
python /home/node/.openclaw/workspace/skills/lunar-calendar/scripts/lunar_calculator.py ... references/seat_types.json ... scripts/convert_station.js ... scripts/compare_dates.js
Confirm required runtime tools and referenced helper files exist before relying on those optional workflows.
Using the skill may execute the included local JavaScript query script.
The skill is designed to run a local Node.js script. This is central to its purpose and the included script is readable and query-focused.
node scripts/query_tickets.js --from "北京" --to "上海" --date "2026-02-25"
Allow script execution only if you are comfortable with the reviewed code contacting 12306 for ticket lookup.
Cheapest-ticket or price-comparison recommendations may be inaccurate or based on placeholder behavior.
The skill advertises price comparison and cheapest-ticket recommendations, but the real query script does not actually fetch or sort by price yet.
prefer === 'cheapest' ... // TODO: 集成价格查询 ... return tickets[0];
Treat price-related recommendations as advisory only and verify fares directly on 12306.