ClawHub

批量快递查询API-快递鸟

v1.0.0

支持通过快递鸟API实时查询运单轨迹信息;当用户需要查询快递物流状态、追踪运单进度或获取包裹配送详情时使用

0· 18·0 current·0 all-time
bykdnaio@15814059255
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name, description, SKILL.md, and the included script consistently implement real-time queries to the 快递鸟 (Kdniao) API and require an API credential (CUSTOMER_CODE|APP_KEY). However, registry metadata at the top of the submission lists no required environment variables while SKILL.md and the script require KUAIDI_BIRD_API_CREDENTIALS — this mismatch is likely a packaging/metadata omission rather than malicious.
Instruction Scope
SKILL.md describes installing requests, setting the KUAIDI_BIRD_API_CREDENTIALS env var, passing a logistic-code argument, and delegating to scripts/query_tracking.py. The instructions do not ask the agent to read unrelated files, other env vars, or send data to unexpected endpoints; the script posts to the documented https://api.kdniao.com/api/dist endpoint and prints structured JSON results.
Install Mechanism
There is no automated install spec (instruction-only), and dependencies are a single standard Python package (requests). No arbitrary downloads, extract steps, or non-standard installers are present. Risk from installation is low.
Credentials
The skill requires a single service credential (KUAIDI_BIRD_API_CREDENTIALS in format CUSTOMER_CODE|APP_KEY) which is proportional to calling the Kdniao API. The credential is used only to sign requests; no other unrelated secrets are requested. Note: SKILL.md contains an example credential value (sample) — users should avoid using real keys in examples or public repos.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. It runs as an invoked script and prints results; autonomous invocation is allowed by default but not excessive for this type of integration.
Assessment
This skill appears to do what it says: it calls the 快递鸟 (Kdniao) API using a single API credential stored in KUAIDI_BIRD_API_CREDENTIALS (format CUSTOMER_CODE|APP_KEY). Before installing, verify the registry metadata is updated to declare that env var (a packaging omission), review the included script (it's short and readable), and ensure you: (1) provide only valid service credentials via environment variables (do not hard-code them), (2) avoid pasting real API keys into public examples or logs, and (3) confirm your environment can make outbound HTTPS calls to https://api.kdniao.com. If you want extra assurance, run the script locally with a test account first. Confidence in this assessment is high given the clear one-to-one mapping between purpose, docs, and code.

Like a lobster shell, security has layers — review code before you run it.

latestvk974cetzabzynhhn441jtbdj6x84hz9f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments