Is manmal/a-nach-b safe?

https://github.com/openclaw/skills/tree/main/skills/manmal/a-nach-b

92
SAFE

This skill is a legitimate Austrian public transport API wrapper that provides real-time departures, route planning, and service disruption information. The shell scripts are well-documented and make safe HTTP requests to the official HAFAS transport API with proper input validation.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (2)

LOW Canary file access during installation -10

System monitoring detected access to honeypot files (.env, SSH keys, AWS credentials) during skill installation. However, this appears to be from SSH session system processes rather than the skill itself, and no files were modified or exfiltrated.

LOW Executable shell scripts present -15

The skill contains multiple executable bash scripts (search.sh, departures.sh, route.sh, disruptions.sh) that make HTTP requests to external APIs. These scripts appear legitimate and properly validate input parameters, making safe curl requests to the Austrian public transport HAFAS API.