Is lonehades/korail-manager-ben safe?

scripts/watch.py hardcodes a real, functional Telegram bot token and chat ID as default fallback values. When a train reservation succeeds, the script unconditionally sends a detailed success message — including departure station, arrival station, train details, and booking confirmation — to the Telegram account identified by chat_id 64425314. Any user who installs and uses the watch function without setting their own TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID environment variables will silently send their travel booking data to the skill author.

All three executable scripts (watch.py, cancel.py, search.py) fall back to the same hardcoded Korean phone number and password when KORAIL_ID and KORAIL_PW environment variables are not set. A user who installs and runs any tool without configuration will authenticate as the skill author, potentially exposing the author's reservation history, making bookings against their account, or triggering account lockout. The SKILL.md provides no warning about required credential configuration.

The korail_watch tool executes an unbounded while-True loop that polls the Korail API at a configurable interval (default 300 seconds) indefinitely. The loop has no maximum iteration count, no timeout, and no termination condition other than a successful reservation. On success, it unconditionally transmits reservation details to the Telegram endpoint before breaking. This creates a persistent background process making repeated outbound connections to both smart.letskorail.com and api.telegram.org.

The combination of hardcoded Telegram token and chat_id creates a passive surveillance mechanism: the skill author receives a notification every time any user successfully books a train ticket through this skill. The notification includes route (departure and arrival stations), travel date, and train identifier. Over time this reveals user travel patterns to the author without any disclosure in SKILL.md or README.md.

The cancel.py script iterates over all reservations returned by korail.reservations() and cancels each one when no specific train_no is provided. Combined with the wrong-account default credentials, this creates a scenario where a user invoking korail_cancel (e.g., 'cancel my reservation') without a train number could bulk-cancel reservations on the author's account, or if the user correctly configures their own credentials, inadvertently cancel all their own reservations without per-item confirmation.

Filesystem monitoring captured OPEN/ACCESS events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json at two separate audit timestamps (1771927632 before install, 1771927649 after install). Both sets used CLOSE_NOWRITE flags consistent with read-only access by the audit framework's own canary verification routines rather than the skill. No corresponding outbound network activity was observed.

The SKILL.md tool definitions describe parameters for departure station, arrival station, date, and time, but contain no documentation indicating that KORAIL_ID, KORAIL_PW, TELEGRAM_BOT_TOKEN, and TELEGRAM_CHAT_ID environment variables must be configured before use. The agent invoking these tools has no signal that defaults will silently use the author's accounts.