oebb-scotty
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE] (SAFE): No malicious patterns or security vulnerabilities detected in the skill instructions or scripts.
- [EXTERNAL_DOWNLOADS] (SAFE): The skill communicates with
fahrplan.oebb.at, which is the official domain for Austrian rail travel services. This is appropriate for the skill's stated purpose. - [CREDENTIALS_UNSAFE] (SAFE): Includes a hardcoded
aid(Authentication ID). This is a publicly known client identifier used for the ÖBB HAFAS/Scotty web API and is not considered a sensitive private credential. - [INDIRECT_PROMPT_INJECTION] (SAFE): The skill ingests rail travel data and service alerts from the ÖBB API.
- Ingestion points: API responses processed in
arrivals.sh,departures.sh,disruptions.sh,search-station.sh, andtrip.sh. - Boundary markers: Absent, though the data is structured and generally handled as discrete strings by the agent.
- Capability inventory: Network access via
curlto a specific whitelistable domain. - Sanitization: The
disruptions.shscript specifically usesjqto strip HTML tags from service alerts, reducing the risk of injecting malicious markup or control sequences.
Audit Metadata