Is eggressive/ns-trains safe?

https://github.com/openclaw/skills/tree/main/skills/eggressive/ns-trains

92
SAFE

The eggressive/ns-trains skill is a well-structured, narrowly scoped Dutch rail API integration with no detected malicious behavior. SKILL.md contains no prompt injection, the Node.js scripts enforce a strict host allowlist (gateway.apiportal.ns.nl only), and all canary honeypots remain intact with file accesses attributable to the audit framework. The only noteworthy issue is an accidentally shipped .clawhub/lock.json containing the developer's local environment state, which is an operational hygiene concern but poses no security risk to installers.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW Lock file leaks developer environment state -8

The .clawhub/lock.json shipped inside the skill repository contains the developer's local skill installation state, referencing 'academic-research-hub' v0.1.0. This is not a direct security risk to installers, but reveals information about the developer's environment and suggests the repository was not cleaned before publishing.

LOW Canary files accessed during audit window -5

Sensitive credential files were opened during the audit window at timestamps 1771951990.355 (pre-install baseline) and 1771952009.635 (post-install check). Timing, batch grouping, and absence of corresponding outbound network traffic strongly indicate these accesses are from the oathe audit framework itself performing integrity checks. All files confirmed intact. Retained as a low-severity finding due to the audit window timing proximity to skill installation.

INFO Six Node.js scripts requiring external API key -7

The skill ships six ESM Node.js scripts. These are fully documented, require user-supplied NS_SUBSCRIPTION_KEY, and communicate only with gateway.apiportal.ns.nl over HTTPS. The nsFetch() helper enforces the host allowlist at the code level. No install-time execution occurs.

INFO Standard monorepo sparse-checkout installation -10

Installation follows expected oathe pattern: depth-1 clone of openclaw/skills, sparse-checkout of the skill subpath, copy to skill-under-test directory, cleanup of clone. No unexpected network connections or process spawning observed.

INFO API key handled via environment variable with appropriate hygiene guidance -12

NS_SUBSCRIPTION_KEY is read from the process environment. SKILL.md and SECURITY.md both advise against committing or sharing the key and recommend runtime secret injection. The legacy NS_API_KEY fallback expands the key surface marginally but both names serve the same legitimate purpose.