critical
suspicious.dynamic_code_execution
- Location
- venv/lib/python3.14/site-packages/pip/_vendor/pygments/formatters/__init__.py:91
- Finding
- Dynamic code execution detected.
Parcel Tracking
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dynamic_code_execution, suspicious.exposed_secret_literal, suspicious.insecure_tls_verification
Findings (23)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The skill will act under the user's Track123 API account or quota when it looks up parcels.
Why it was flagged
The skill uses a Track123 API secret from the environment as the provider authentication header. This is expected for the stated Track123 integration, but it is still a credential boundary users should notice.
Skill content
secret = os.getenv("TRACK123_API_SECRET") ... "Track123-Api-Secret": get_api_secret()Recommendation
Use a scoped or easily revocable Track123 API secret if available, keep it private, and avoid setting TRACK123_API_BASE to an untrusted endpoint.
What this means
Parcel identifiers and optional postal codes are shared with Track123 to retrieve tracking information.
Why it was flagged
The skill sends the user-provided tracking number and optional postal code to the Track123 API. This is purpose-aligned, but it is an external data flow involving delivery information.
Skill content
payload = {"trackNos": [tracking_number], ...}; if postal_code: payload["postalCode"] = postal_code ... requests.post(url, headers=api_headers(), json=payload)Recommendation
Only use the skill for tracking numbers and postal codes you are comfortable sending to Track123, and review Track123's privacy practices if the data is sensitive.
What this means
There is more bundled third-party code than the visible parcel-tracking script needs, making the package harder to audit.
Why it was flagged
The package includes a full Python virtual environment and package-manager libraries for a small tracking helper. No artifact shows those extra files being automatically executed, but the packaging increases provenance and review surface.
Skill content
503 file(s): SKILL.md, requirements.txt, track.py, venv/lib/python3.14/site-packages/pip/..., venv/lib/python3.14/site-packages/requests/...
Recommendation
Prefer a lean package with declared dependencies, pinned versions or hashes, and registry metadata that accurately declares python3, requests, and TRACK123_API_SECRET.
Findings (23)
critical
suspicious.exposed_secret_literal
- Location
- venv/lib/python3.14/site-packages/pip/_internal/network/auth.py:97
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- venv/lib/python3.14/site-packages/pip/_vendor/requests/adapters.py:257
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- venv/lib/python3.14/site-packages/pip/_vendor/requests/sessions.py:322
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- venv/lib/python3.14/site-packages/pip/_vendor/urllib3/connection.py:423
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- venv/lib/python3.14/site-packages/pip/_vendor/urllib3/connectionpool.py:991
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- venv/lib/python3.14/site-packages/pip/_vendor/urllib3/contrib/_securetransport/low_level.py:231
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- venv/lib/python3.14/site-packages/pip/_vendor/urllib3/contrib/socks.py:102
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- venv/lib/python3.14/site-packages/requests/adapters.py:257
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- venv/lib/python3.14/site-packages/requests/sessions.py:322
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- venv/lib/python3.14/site-packages/urllib3/connection.py:807
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- venv/lib/python3.14/site-packages/urllib3/connectionpool.py:1073
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- venv/lib/python3.14/site-packages/urllib3/contrib/socks.py:116
- Finding
- File appears to expose a hardcoded API secret or token.
warn
suspicious.insecure_tls_verification
- Location
- venv/lib/python3.14/site-packages/pip/_internal/network/session.py:312
- Finding
- HTTPS certificate verification is disabled.
warn
suspicious.insecure_tls_verification
- Location
- venv/lib/python3.14/site-packages/pip/_vendor/truststore/_macos.py:371
- Finding
- HTTPS certificate verification is disabled.
warn
suspicious.insecure_tls_verification
- Location
- venv/lib/python3.14/site-packages/pip/_vendor/truststore/_windows.py:458
- Finding
- HTTPS certificate verification is disabled.
warn
suspicious.insecure_tls_verification
- Location
- venv/lib/python3.14/site-packages/pip/_vendor/urllib3/connection.py:454
- Finding
- HTTPS certificate verification is disabled.
warn
suspicious.insecure_tls_verification
- Location
- venv/lib/python3.14/site-packages/pip/_vendor/urllib3/contrib/pyopenssl.py:113
- Finding
- HTTPS certificate verification is disabled.
warn
suspicious.insecure_tls_verification
- Location
- venv/lib/python3.14/site-packages/pip/_vendor/urllib3/contrib/securetransport.py:794
- Finding
- HTTPS certificate verification is disabled.
warn
suspicious.insecure_tls_verification
- Location
- venv/lib/python3.14/site-packages/pip/_vendor/urllib3/util/ssl_.py:140
- Finding
- HTTPS certificate verification is disabled.
warn
suspicious.insecure_tls_verification
- Location
- venv/lib/python3.14/site-packages/urllib3/connection.py:951
- Finding
- HTTPS certificate verification is disabled.
warn
suspicious.insecure_tls_verification
- Location
- venv/lib/python3.14/site-packages/urllib3/contrib/pyopenssl.py:84
- Finding
- HTTPS certificate verification is disabled.
warn
suspicious.insecure_tls_verification
- Location
- venv/lib/python3.14/site-packages/urllib3/util/ssl_.py:353
- Finding
- HTTPS certificate verification is disabled.