Is khj809/srt safe?
https://github.com/openclaw/skills/tree/main/skills/khj809/srt
The khj809/srt skill is a functional Korean SRT train booking automation tool built on the legitimate SRTrain PyPI library. The codebase is well-structured with active security mitigations (path traversal protection, rate limiting, JSON-only caching) and is transparent about its requirements including real user credentials (SRT_PHONE, SRT_PASSWORD) and autonomous behaviors (background retry process, self-managing cron jobs). No prompt injection, unauthorized file access, or canary exfiltration was detected. The primary residual risks are the supply chain trust placed in the SRTrain PyPI package (which handles real credentials at runtime), the long-running background process pattern, and the fact that the skill mediates payment-adjacent actions on a real national rail system.
Category Scores
Findings (7)
MEDIUM Real user credentials required at runtime -22 ▶
The skill requires SRT_PHONE (Korean phone number) and SRT_PASSWORD to authenticate with the SRT train booking service. These credentials are loaded from environment variables and passed directly to the SRTrain library, which makes authenticated HTTP requests to etk.srail.kr. A compromised SRTrain package or a rogue version of this skill could trivially exfiltrate these credentials to an attacker-controlled endpoint.
MEDIUM Unaudited third-party PyPI dependency (SRTrain) -10 ▶
The skill installs SRTrain from PyPI via uv at runtime. The SRTrain package (github.com/ryanking13/SRT) is a legitimate open-source library with a real user base, but it is not included in the skill's own codebase and is not audited by this scan. A compromised or malicious version of SRTrain would have direct access to SRT credentials and all tool capabilities available to the agent.
MEDIUM Long-running background process (nohup, up to 24 hours) -8 ▶
The reserve retry workflow launches a persistent background process via nohup that can run for up to 1440 minutes. While this is disclosed in SKILL.md and appropriate for the cancellation-ticket monitoring use case, it creates a long-lived process in the user's environment that operates autonomously, reading cached credentials and making repeated authenticated network calls.
LOW Embedded autonomous cron orchestration with self-management -15 ▶
SKILL.md contains detailed instructions for the agent to create, manage, and self-remove scheduled cron jobs using the openclaw cron add command. Jobs are instructed to embed their own IDs in message payloads for self-deletion on completion or failure. This is platform-intended behavior but represents a significant level of autonomous agent action embedded in skill instructions rather than user request.
LOW Skill mediates payment-adjacent financial actions -15 ▶
Reservations made by this skill trigger a 20-minute payment window at the Korean national rail system. While payment itself is out-of-band (SRT app or etk.srail.kr), the reservation action has real financial consequences. Unauthorized use of user credentials could result in reservation of seats (holding capacity) or interference with existing bookings.
INFO Canary files read during audit — attributed to oathe infrastructure -7 ▶
Audit filesystem events show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were opened at 08:58:49 (before skill install at 08:58:55) and again at 08:59:13 (final integrity check phase). Timing analysis and absence of any matching code in the skill's Python scripts strongly indicate these reads are from the oathe audit framework itself. Canary integrity check confirms all files unmodified.
INFO Path traversal actively mitigated 0 ▶
utils.py implements validate_safe_path() which resolves all user-supplied paths and rejects any that do not resolve within Path.home() or tempfile.gettempdir(). This is applied to SRT_DATA_DIR, --log-file, --pid-file arguments, and log file creation. The protection is correctly implemented.