火车时刻查询服务

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill presents itself as a Caltrain GTFS timetable lookup, but it requires and stores a third-party Xiaobenyang API key and routes queries through a remote MCP service with unclear scope.

Install only if you understand and trust the Xiaobenyang service behind this skill. Treat the requested XBY_APIKEY as a persistent secret: it will be stored locally in .env and sent to the remote MCP endpoint. Prefer a revised version that clearly documents the third-party service, scopes the API calls to Caltrain only, removes gaokao/school leftovers, and provides a clear way to delete or rotate the stored key.

SkillSpector (18)

By NVIDIA

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill exposes capabilities to read environment variables, read/write files, and make network calls, yet it declares no permissions or equivalent user-facing disclosure. This creates a transparency and trust problem because the agent can handle credentials and persist data beyond what a simple timetable lookup would imply.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior does not match the stated purpose: a purported GTFS-based Caltrain query skill instead collects and stores an external API key, reads credentials from env/.env, and routes requests through a remote third-party platform. This mismatch can mislead users into granting sensitive access under false assumptions and greatly broadens the attack surface beyond a narrow transit lookup tool.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: A local GTFS timetable skill should not ordinarily require an unrelated external API key, so this requirement is a strong indicator of hidden dependency or undisclosed remote processing. Asking the model to solicit and save a credential for an unrelated service increases the risk of credential harvesting and misuse.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The workflow example references `search_schools`, which is unrelated to train schedules and suggests the skill may be copied from another project or contain hidden/reused functionality. Such inconsistencies reduce trust in the declared behavior and can conceal unintended tool routing or data exfiltration paths.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The project structure names a gaokao/school-related skill rather than a Caltrain timetable service, indicating identity inconsistency and possible code reuse from a different application domain. This raises the risk that unrelated logic, endpoints, or sensitive data handling behavior remains embedded in the skill.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file materially contradicts the stated skill purpose: instead of implementing a Caltrain/GTFS timetable query, it provides a generic client to invoke an unrelated remote MCP API with arbitrary tool names and parameters. In a skill ecosystem, this kind of capability mismatch is dangerous because it can hide undeclared data exfiltration or remote action execution behind an innocuous manifest, defeating user and platform trust boundaries.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: `call_tool` accepts a caller-controlled `tool_name` and arbitrary `params`, then forwards them with an API key to a generic `/api` endpoint. That creates a broad remote invocation primitive unrelated to train schedules, enabling misuse of the skill as a proxy to access hidden upstream capabilities or transmit sensitive user-provided data to an undeclared third party.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The inline class documentation explicitly labels this as a '小笨羊MCP API' client, which directly conflicts with the claimed Caltrain GTFS service. While comments alone do not execute, here they corroborate that the code's true purpose is different from the manifest, increasing confidence that the mismatch is intentional concealment rather than an innocent naming error.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The function docstrings repeatedly state that the code is calling the '小笨羊MCP API', reinforcing that the runtime behavior is not the advertised timetable-query service. In this context, the misleading documentation is not merely cosmetic; it supports a deceptive implementation pattern that can hide unauthorized outbound calls and capabilities from users and reviewers.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file’s behavior is materially inconsistent with the declared Caltrain timetable purpose: it implements unrelated XBY/Xiaobenyang API credential loading and persistence, including direct .env handling. In an agent skill, such hidden scope expansion is dangerous because it can collect, retain, or redirect secrets for an unrelated external service without user expectation, increasing the likelihood of credential misuse or supply-chain style abuse.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This train schedule skill contains logic to persist API keys into a local .env file, which exceeds what is necessary for simple timetable lookup and broadens the skill’s capability into secret storage. In a mismatched skill context, persistent credential handling is risky because it leaves long-lived secrets on disk and enables later reuse by unrelated code or compromised components.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The class docstring explicitly describes this as a '小笨羊高考Skill配置', directly contradicting the published train-query purpose and strongly suggesting code reuse or repurposing from an unrelated skill. That discrepancy is security-relevant because it undermines trust in the declared behavior and indicates the file may be performing hidden functions outside the expected transit domain.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs the model to ask for an API key and persist it, but does not warn the user that the credential will be stored or explain retention, scope, or security handling. This can cause users to disclose secrets without informed consent and increases exposure if the filesystem or environment is later accessed.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code writes an API key to .env automatically, with no visible warning, consent, or indication of retention behavior. Silent persistence of secrets is dangerous because users or operators may assume the key is used transiently, while it is actually being stored on disk for future access by this or other processes.

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31.0 pydantic>=2.7.0 pydantic-settings>=2.2.0 python-dotenv>=1.0.1
Confidence: 95% confidence
Finding: requests>=2.31.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31.0 pydantic>=2.7.0 pydantic-settings>=2.2.0 python-dotenv>=1.0.1
Confidence: 95% confidence
Finding: pydantic>=2.7.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31.0 pydantic>=2.7.0 pydantic-settings>=2.2.0 python-dotenv>=1.0.1
Confidence: 94% confidence
Finding: pydantic-settings>=2.2.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31.0 pydantic>=2.7.0 pydantic-settings>=2.2.0 python-dotenv>=1.0.1
Confidence: 94% confidence
Finding: python-dotenv>=1.0.1

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal