Is lancenas/mcporter-railway-query safe?

https://github.com/openclaw/skills/tree/main/skills/lancenas/mcporter-railway-query

92
SAFE

This skill provides legitimate functionality for querying Chinese railway tickets through helper scripts that interface with the mcporter CLI tool. The code is transparent and straightforward with no evidence of malicious behavior, though it has minor input validation concerns and external dependencies.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (4)

LOW Formatting anomaly in frontmatter -5

The YAML frontmatter uses a Chinese colon (:) instead of a standard colon (:) in the description field. This is likely a typo rather than a malicious attempt.

MEDIUM Shell scripts with limited input validation -15

The skill contains three shell scripts that accept user input and pass it to the mcporter CLI tool. While the scripts have basic parameter validation, they don't sanitize input before passing to external commands.

LOW External service dependency -10

The skill references external services including a local MCP server (127.0.0.1:8080) and relies on mcporter CLI configuration. While documented, this creates potential attack vectors if these services are compromised.

LOW External tool dependency -10

The skill's functionality depends entirely on the external mcporter CLI tool and 12306 MCP server. Any vulnerabilities in these dependencies could affect security.