Is lancenas/mcporter-railway-query-repo safe?

https://github.com/openclaw/skills/tree/main/skills/lancenas/mcporter-railway-query-repo

93
SAFE

The mcporter-railway-query-repo skill is a straightforward documentation and helper package for querying Chinese railway tickets via the mcporter CLI and 12306 MCP server. No prompt injection, data exfiltration, malicious code execution, or canary tampering was detected. The only findings are a minor description inconsistency (claims booking capability not implemented), an accidentally committed developer lock file, and network activity that is attributable to the oathe install infrastructure rather than the skill itself.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (5)

LOW SKILL.md description claims booking capability not present in implementation -5

The SKILL.md frontmatter description states the skill supports 'book Chinese railway tickets' but all documentation (README.md, README_zh.md, SECURITY.md) explicitly states the skill does NOT perform ticket booking or automation. This discrepancy could mislead users about the skill's scope but presents no security risk.

LOW External network connections established during install -12

The installation process made HTTPS connections to GitHub (140.82.114.4) and Canonical infrastructure (185.125.188.57). These are inherent to the oathe install mechanism that clones the openclaw/skills monorepo, not initiated by the skill's own code.

LOW Scripts access user home directory for mcporter config -7

All three shell scripts default to reading ~/.mcporter/mcporter.json. This is a documented prerequisite, not a covert file access. The config path is passed as a parameter with a documented default.

INFO Bundled .clawhub/lock.json references an unrelated skill -5

The skill package includes a .clawhub/lock.json file that references 'academic-research-hub' version 0.1.0 as a 'installed' skill. This appears to be a developer's personal lock file accidentally committed to the package, not a dependency declaration or malicious artifact.

INFO Shell scripts present in package -8

Three bash scripts ship with the skill. All use set -e, validate required arguments, and pass user-controlled parameters directly to mcporter CLI. No command substitution, eval, or dynamic code generation detected.