Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cn Express Tracker
v1.0.0Query package tracking information from Chinese and international carriers using Kuaidi100 API. Supports auto-detection of carrier from tracking number. Use...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (Kuaidi100-based tracking) matches what the included script does: local carrier detection + signed POST to poll.kuaidi100.com. However, the registry metadata lists no required environment variables or primary credential while the SKILL.md and scripts/track.sh both require EXPRESS_TRACKER_KEY and EXPRESS_TRACKER_CUSTOMER. That metadata/instruction mismatch is an incoherence a user should notice.
Instruction Scope
SKILL.md and scripts/track.sh limit actions to local carrier-detection logic and a single HTTPS POST to poll.kuaidi100.com and JSON parsing; they do not access other system credentials or network endpoints. But the SKILL.md explicitly instructs users to persist API keys by appending exports to ~/.bashrc or ~/.zshrc, which encourages storing secrets in plaintext in shell startup files. The Agent Integration snippet references placeholders ($KEY / $CUSTOMER) not declared in registry metadata, another mismatch.
Install Mechanism
This is an instruction-only skill with a bundled shell script; there is no install spec, no downloads, and no packages installed by the skill. It relies on standard local binaries (curl, jq, md5/openssl) which is proportionate to its purpose.
Credentials
The only secrets the skill needs (EXPRESS_TRACKER_KEY and EXPRESS_TRACKER_CUSTOMER) are appropriate for Kuaidi100 API access. However, the registry metadata claimed 'no required env vars' while the runtime instructions and script require two API credentials — this inconsistency reduces trust and should be corrected/clarified before use.
Persistence & Privilege
The skill does not request permanent platform-level privileges (always:false) and does not modify other skills or system-wide agent settings. The only persistence recommended is optional user action to add exports to shell rc files (which is a user-facing suggestion, not an automated change).
What to consider before installing
This skill’s code matches its stated purpose: it auto-detects a carrier and sends a signed HTTPS request to poll.kuaidi100.com. However, the package metadata omitted the fact that two API credentials are required — SKILL.md and scripts/track.sh do require EXPRESS_TRACKER_KEY and EXPRESS_TRACKER_CUSTOMER. Before installing or using: (1) verify the skill source and prefer running the included script locally rather than giving the agent persistent access to your secrets; (2) avoid pasting API keys into ~/.bashrc or ~/.zshrc — use ephemeral environment variables or a secrets manager if available; (3) confirm the API key/account on Kuaidi100 and limit its scope/balance; (4) if you plan to let the agent invoke the skill autonomously, be aware it will have network access to poll.kuaidi100.com and will use the provided API credentials for those calls. If the missing metadata (required env vars / primary credential) is fixed and you control the API keys, the skill appears coherent for tracking use — otherwise treat the metadata mismatch as a red flag and request the publisher correct it.Like a lobster shell, security has layers — review code before you run it.
latestvk9796bc07gdp3p84t3y9z3bffd83g9yj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.