ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Life Query

Daily life query assistant. Declarative YAML API registry with natural language intent matching. Trigger when the user needs to track a parcel, check shipmen...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 26 · 0 current installs · 0 all-time installs
byeamanc@eamanc-lab
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The declared purpose (parcel tracking) matches the implemented APIs (courier-track). However the implementation calls an external service (https://api.fenxianglife.com) and embeds a secret API key in apis/_env.yaml; the README/SKILL.md does not declare or justify bundling a private API key or a third-party backend.
!
Instruction Scope
Runtime instructions/scripts (scripts/run.sh + embedded Python) will: source a local .env or $HOME/.config/fenxiang-api/.env (which executes and exports whatever is in those files), accept user-supplied kuaidi100Key/kuaidi100Customer and include them in requests, and send tracking numbers and any included fields to the fenxianglife API. The script therefore can both execute user-provided shell content and transmit sensitive inputs to an external endpoint.
Install Mechanism
No install spec (instruction-only) and no network downloads at install time — lower install risk. But there is shipped executable script code that will run at runtime and perform outbound network calls.
!
Credentials
requires.env lists nothing, but apis/_env.yaml contains a hard-coded X-Api-Key (looks like a private key) and base_url pointing to a third-party host. The skill will include that key in every request. It will also forward any user-supplied kuaidi100Key/kuaidi100Customer to the third-party API, which can leak user secrets. Additionally the script sources $HOME/.config/fenxiang-api/.env, potentially pulling unrelated secrets or executing commands from a user's home config.
Persistence & Privilege
The skill is not always: true, does not request persistent system-wide privileges, and does not modify other skill configs. It can be invoked autonomously (platform default), which increases blast radius if the skill is trusted, but that is normal behavior.
What to consider before installing
This skill works for parcel tracking but contains a hard-coded API key and sends all calls (including any tracking numbers and any user-provided courier API keys) to https://api.fenxianglife.com. Before installing, consider: (1) Do you trust that third-party service? The repo embeds a secret API key you did not supply. (2) Do not pass your own kuaidi100Key/customer unless you are comfortable it will be forwarded to that external host. (3) The run script will source .env files (including $HOME/.config/fenxiang-api/.env) which may execute content or export unrelated secrets — inspect or remove those files first. Safer alternatives: run a local-only version after removing or replacing apis/_env.yaml with your own trusted endpoint/key, or use a skill that calls the courier provider APIs directly without a third-party proxy.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk978qpy4kp73yham0smymj4r9n8306t5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Life Query

日常生活查询助手。apis/ 目录即接口注册表,放入 .yaml 自动发现,开箱即用。

可用接口

接口方法路径说明
courier-trackPOST/skill/courier/track查询快递物流轨迹

使用方式

# 查快递
bash scripts/run.sh call courier-track --trackingNumber SF1234567890
bash scripts/run.sh call courier-track --trackingNumber SF1234567890 --carrierCode shunfeng

# 用自己的快递100凭证(可选)
bash scripts/run.sh call courier-track --trackingNumber SF1234567890 \
  --kuaidi100Key YOUR_KEY --kuaidi100Customer YOUR_CUSTOMER

# 列出所有接口
bash scripts/run.sh list

# 输出格式(json 默认,table 可读)
bash scripts/run.sh call courier-track --trackingNumber SF1234567890 --format table

自然语言映射

用户说接口关键参数
"帮我查一下 SF1234567890"courier-tracktrackingNumber=SF1234567890
"这个单号的物流在哪里:75555555555"courier-tracktrackingNumber=75555555555
"用我自己的快递100 key 查单号"courier-track+kuaidi100Key/Customer

添加新接口

apis/ 下创建 .yaml 文件即自动注册,格式参考 references/yaml-spec.md

复杂接口(分页/多步骤)用 .sh 脚本,放同目录,头部加 # name:# description: 注释。

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…