Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
快递查询demo
v1.0.0查询快递物流轨迹和签收状态,支持自动识别快递公司及多家主流快递服务,需配置快递100授权Key。
⭐ 0· 55·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to query KuaiDi100 and the code posts to kuadi100's poll endpoints using KUAIDI100_KEY and KUAIDI100_CUSTOMER, which is coherent. However the registry metadata reported 'required env vars: none' while SKILL.md and the code require two env vars—this metadata mismatch is inconsistent and surprising.
Instruction Scope
SKILL.md instructs running 'python3 skills/kuaidi100/kuaidi100.py' and describes a 'companies' command, but the provided code file is express.py (path/name mismatch). The code's handling of the 'companies' argument is incomplete: it contains an ellipsis (...) and then proceeds to json.loads(arg), so passing 'companies' will cause JSON parsing failure. The instructions otherwise only reference the expected env vars and the KuaiDi100 API endpoints and do not attempt to read unrelated files or credentials.
Install Mechanism
No install spec (instruction-only) — low risk for unexpected installs. However the Python script uses the 'requests' library which is not declared in SKILL.md or the manifest; missing dependency information may cause runtime failure. No downloads or external install URLs are present.
Credentials
The only credentials the code uses are KUAIDI100_KEY and KUAIDI100_CUSTOMER, which are appropriate for this KuaiDi100 integration. The inconsistency is that the registry metadata omitted these required env vars while SKILL.md includes them; require/manifest mismatch should be resolved before trusting the package.
Persistence & Privilege
Skill does not request elevated persistence (always: false), does not attempt to modify other skills or system configuration, and does not include an install script that would write persistent files. Autonomous invocation is permitted (platform default) but is not combined with other concerning privileges.
What to consider before installing
This skill looks like a legitimate KuaiDi100 tracking helper, but there are practical inconsistencies and a bug you should address before enabling it. Do not install or expose other credentials until resolved. Specific actions to consider:
- Do not trust the registry metadata that lists no env vars; the code requires KUAIDI100_KEY and KUAIDI100_CUSTOMER. Only provide those KuaiDi100 credentials if you obtained them yourself.
- Fix or confirm the script path: SKILL.md references skills/kuaidi100/kuaidi100.py but the repo contains express.py. Either rename the file or update SKILL.md.
- The 'companies' command is not implemented correctly (the code will try to parse the literal 'companies' as JSON). Test the script in a safe environment and correct the implementation if you need that feature.
- Ensure Python and the 'requests' library are installed on the agent host (the package doesn't declare this dependency).
- Because there are inconsistencies between manifest, SKILL.md, and code, prefer to run the script manually (outside an agent) for testing, and audit network requests to confirm they only go to poll.kuaidi100.com before enabling autonomous agent use.Like a lobster shell, security has layers — review code before you run it.
latestvk97e9cb7e06ejvxx2hemd2mbg9844ncp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.