ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

批量快递查询-快递鸟

v1.0.1

支持通过快递鸟API实时查询运单轨迹信息;当用户需要查询快递物流状态、追踪运单进度或获取包裹配送详情时使用

0· 100·0 current·0 all-time
bykdnaio@15814059255
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description, SKILL.md, and the script all align: this is a kuaidi-bird (快递鸟) tracking skill. However, the registry metadata in the package claims 'Required env vars: none' and 'Primary credential: none' while both SKILL.md and scripts require a KUAIDI_BIRD_API_CREDENTIALS value; this metadata mismatch is an incoherence in the package manifest.
Instruction Scope
Runtime instructions are narrowly scoped to querying the 快递鸟 API: install requests, set KUAIDI_BIRD_API_CREDENTIALS (CUSTOMER_CODE|APP_KEY), run the provided script with a logistic code. The SKILL.md and script only access that environment variable and call the configured API endpoint (defaulting to api.kdniao.com or a user-provided api-url). There are no instructions to read unrelated files or exfiltrate data to unexpected endpoints.
Install Mechanism
This is instruction-only (no install spec). The only dependency is the standard 'requests' Python package, which is proportionate for HTTP API calls. No downloads from arbitrary URLs or archive extraction are present.
!
Credentials
The skill legitimately needs a single API credential bundled as KUAIDI_BIRD_API_CREDENTIALS (CUSTOMER_CODE|APP_KEY). That is appropriate for the stated purpose. However, the registry metadata did not declare this required environment variable or a primary credential, which is misleading and increases risk (consumers may not realize they need to supply secrets).
Persistence & Privilege
The skill does not request persistent or elevated privileges. always is false and the skill does not attempt to modify other skills or system-wide settings. Autonomous invocation is enabled by default (normal for skills) but is not combined here with other red flags.
What to consider before installing
This skill's code and instructions appear to implement a legitimate 快递鸟 (kdniao) tracking integration and require only one credential (KUAIDI_BIRD_API_CREDENTIALS in the format CUSTOMER_CODE|APP_KEY). However, the package metadata incorrectly omits that requirement — treat that as a red flag. Before installing: (1) Verify the package owner/trustworthiness (source is 'unknown'); (2) Confirm you only need to provide the 快递鸟 CUSTOMER_CODE and APP_KEY and nothing else; (3) Inspect the included script yourself (it is short and readable) or run it in a safe/test environment first; (4) Do not use production or highly privileged API keys until you're confident; (5) Prefer creating a dedicated 快递鸟 account or API key with limited scope/quota and rotate it after testing; (6) Ask the publisher to update the registry metadata to declare KUAIDI_BIRD_API_CREDENTIALS as a required/primary credential so the manifest matches the actual requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk976q6sdynjr8x7jahbjc9agt984g3tw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments