ClawHub

Parcel Package Tracking

v1.0.0

Track and add deliveries via Parcel API.

1· 2.1k·7 current·7 all-time
byGustavo Madeira Santana@gumadeiras
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (track and add deliveries via Parcel API) matches the SKILL.md which requests a PARCEL_API_KEY and shows calls to a parcel-api.js script. However the registry metadata does not declare the PARCEL_API_KEY requirement (metadata lists no required env vars), which is an inconsistency.
Instruction Scope
SKILL.md instructs only to call the included Node script to list/add deliveries and to set PARCEL_API_KEY. It does not instruct the agent to read unrelated files or exfiltrate data to unexpected endpoints. The instructions do reference a specific path (~/.clawdbot/skills/parcel/parcel-api.js) and the Parcel web site for the API key, which is consistent with the described functionality.
Install Mechanism
There is no install spec (instruction-only), which is low risk. However the skill includes a code file (parcel-api.js) that will be executed via 'node' according to SKILL.md. The registry's 'required binaries' list claims none, so the SKILL.md's reliance on the Node runtime is not reflected in metadata — another inconsistency to address.
!
Credentials
SKILL.md requires a PARCEL_API_KEY environment variable (appropriate for accessing Parcel's API), but the published metadata does not list any required env vars. This could lead to the skill having access to a credential that the registry metadata doesn't advertise. The single API key itself is proportionate to the stated purpose, but the metadata mismatch is concerning.
Persistence & Privilege
The skill does not set always:true and does not disable model invocation, so it can be invoked by the model when eligible (default behavior). This is typical for integration skills; nothing here indicates excessive persistent privileges.
What to consider before installing
Do not install blindly. The SKILL.md says the skill needs PARCEL_API_KEY and runs a Node script, but the registry metadata does not declare those requirements (no env vars, no required binaries). Ask the publisher to explain and update the metadata. Before installing, review the parcel-api.js source to confirm it only talks to Parcel's API and doesn't read other files or send data elsewhere. Ensure Node is available in a controlled environment, store your PARCEL_API_KEY securely (least privilege), and consider running the skill in a sandbox or with limited network access if you cannot verify the code.

Like a lobster shell, security has layers — review code before you run it.

latestvk9784785tpk8rdvm27wqngvk4s7z4qy2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments