Life Query
PassAudited by ClawScan on May 10, 2026.
Overview
Life Query appears to be a straightforward daily-information lookup skill that sends user-provided query details to disclosed public services; optional courier credentials and dependency metadata gaps are worth noticing but not suspicious.
This skill looks safe for normal use if you are comfortable with third-party lookup services. Before installing, note that it needs curl and python3, and avoid providing sensitive tracking numbers, locations, or courier API credentials unless you trust the listed providers.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can execute its own lookup scripts on the user's machine to perform the requested queries.
The skill can run its dispatcher script via Bash, which then invokes the included query scripts. This is bounded to the skill directory and purpose-aligned, but it is still local command execution.
allowed-tools: Bash({baseDir}/scripts/run.sh:*),Read({baseDir}/**)Install only if you are comfortable with the skill running its included Bash scripts; review script behavior if using it in a restricted environment.
Tracking numbers, city names, province names, currency codes, and amounts may be sent to the listed third-party services when you ask those queries.
The skill discloses that user-provided lookup data is sent to external service providers. This is expected for the skill's purpose, but courier numbers and locations can be personal.
courier-track(免费) | `api.fenxianglife.com` | 仅快递单号 ... weather | `wttr.in` | 城市名
Do not query tracking numbers or locations you consider sensitive unless you are comfortable sharing them with the listed providers.
If you set Kuaidi100 credentials, the skill can use that account's API access for courier tracking requests.
When optional Kuaidi100 credentials are present in the environment, the script reads them and uses them for the direct Kuaidi100 courier API path. This matches the documented optional credential flow.
KEY="${KUAIDI100_KEY:-}" ... CUSTOMER="${KUAIDI100_CUSTOMER:-}" ... "https://poll.kuaidi100.com/poll/query.do"Set Kuaidi100 environment variables only intentionally, and use credentials scoped to courier tracking if possible.
The skill may appear dependency-free in metadata but fail at runtime if curl or python3 is unavailable; optional Kuaidi100 configuration may also be missed.
The skill documents runtime dependencies in SKILL.md, while the supplied registry requirements say no required binaries and no env vars. This is an under-declared metadata issue, not hidden behavior.
- **必需**:`curl`、`python3`(系统自带即可)
Confirm curl and python3 are available before use, and treat Kuaidi100 variables as optional credentials rather than general environment settings.