Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Logistics Tracker
v1.0.0物流跟踪技能,对接 17Track 批量 API,自动跟踪运单状态,向客户发送邮件通知,并在异常时告警。
⭐ 0· 56·0 current·0 all-time
byJaden's built a claw@cjboy007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to integrate with 17Track and to send emails/alerts — and the code implements that. However the registry metadata lists no required environment variables or config paths even though config/logistics-config.json references TRACK17_API_KEY and TRACKINGMORE_API_KEY and the SKILL.md tells you to configure SMTP creds for another skill. The code also expects other skills (order-tracker, imap-smtp-email) to exist and reads their files; these are legitimate for a dependent integration, but the manifest should declare these environment/config dependencies — their absence is an incoherence.
Instruction Scope
SKILL.md and source instruct the agent to read other skills' files (e.g., ../../order-tracker/data/orders.json) and to rely on an external SMTP script (../../imap-smtp-email/scripts/smtp.js). The instructions also include absolute example paths (/Users/wilson/...), and the code uses child_process.execFileSync (present at top of modules) which implies executing cross-skill scripts. Reading/executing files outside the skill boundary is scope-expanding and should be explicit and consented to.
Install Mechanism
No install spec is provided (instruction-only install), but the package includes code and a package.json with at least one dependency (node-cron). That means you will likely need to run npm install / ensure Node ≥18, but the registry didn't provide an install step. This is not inherently malicious but is an operational omission you should be aware of.
Credentials
The skill configuration references API keys (TRACK17_API_KEY, TRACKINGMORE_API_KEY) and relies on SMTP credentials from the imap-smtp-email skill, yet the skill's declared required env vars list is empty. Requesting or using other skills' .env or SMTP credentials (via executing their smtp.js) expands credential access and should be declared and justified.
Persistence & Privilege
The skill does persistent writes under its own data/ directory (shipments.json, alert-history, scheduler logs) using atomic write/rename — that's expected. always:false and no code modifies other skills' configuration. However it does read and execute scripts from sibling skills (order-tracker, imap-smtp-email), which increases its operational reach even though it doesn't request system-wide privileges.
What to consider before installing
Before installing or running this skill: 1) Be aware the manifest omitted required credentials — you must supply a 17Track API key (TRACK17_API_KEY) and possibly a trackingmore key; verify where keys are stored (config file vs environment). 2) The skill reads files and executes scripts from other skills (order-tracker and imap-smtp-email). Only install/run this if you trust those other skills and understand it will access their data and SMTP credentials. 3) No install steps are provided — you'll likely need Node ≥18 and to run npm install; run in an isolated environment first. 4) Review the included scripts (tracking-api, customer-notify, anomaly-detector) for any endpoints or hard-coded targets you don't recognize, and check that calls to child_process (execFileSync) only invoke expected local scripts. 5) If you want lower risk, require the skill to explicitly declare the env vars and config paths it expects, and run it with limited filesystem permissions or inside a container so its cross-skill file access is constrained.scripts/anomaly-detector.js:610
Shell command execution detected (child_process).
scripts/customer-notify.js:536
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk974f124z3qth432q6jxm024dd83qtmf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.