Life Query
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: life-query Version: 2.0.0 The 'life-query' skill provides legitimate utility for tracking packages, checking exchange rates, oil prices, and weather. The implementation follows safe coding practices, such as using Python's 'sys.argv' and environment variables to handle external data, which mitigates shell injection risks. Sensitive credentials (Kuaidi100 keys) are handled correctly, being sent only to the official service provider and not to the third-party proxy (api.fenxianglife.com) used for the free tier. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can execute its own lookup scripts on the user's machine to perform the requested queries.
The skill can run its dispatcher script via Bash, which then invokes the included query scripts. This is bounded to the skill directory and purpose-aligned, but it is still local command execution.
allowed-tools: Bash({baseDir}/scripts/run.sh:*),Read({baseDir}/**)Install only if you are comfortable with the skill running its included Bash scripts; review script behavior if using it in a restricted environment.
Tracking numbers, city names, province names, currency codes, and amounts may be sent to the listed third-party services when you ask those queries.
The skill discloses that user-provided lookup data is sent to external service providers. This is expected for the skill's purpose, but courier numbers and locations can be personal.
courier-track(免费) | `api.fenxianglife.com` | 仅快递单号 ... weather | `wttr.in` | 城市名
Do not query tracking numbers or locations you consider sensitive unless you are comfortable sharing them with the listed providers.
If you set Kuaidi100 credentials, the skill can use that account's API access for courier tracking requests.
When optional Kuaidi100 credentials are present in the environment, the script reads them and uses them for the direct Kuaidi100 courier API path. This matches the documented optional credential flow.
KEY="${KUAIDI100_KEY:-}" ... CUSTOMER="${KUAIDI100_CUSTOMER:-}" ... "https://poll.kuaidi100.com/poll/query.do"Set Kuaidi100 environment variables only intentionally, and use credentials scoped to courier tracking if possible.
The skill may appear dependency-free in metadata but fail at runtime if curl or python3 is unavailable; optional Kuaidi100 configuration may also be missed.
The skill documents runtime dependencies in SKILL.md, while the supplied registry requirements say no required binaries and no env vars. This is an under-declared metadata issue, not hidden behavior.
- **必需**:`curl`、`python3`(系统自带即可)
Confirm curl and python3 are available before use, and treat Kuaidi100 variables as optional credentials rather than general environment settings.