Cainiao
v1.0.0Use Cainiao Network (菜鸟物流) for shipment tracking, shipping guidance, service-type comparison, outlet lookup, and delivery-time or fee estimation. Use when th...
⭐ 0· 134·0 current·1 all-time
byhaidong@harrylabsj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill announces shipment tracking, estimates, outlet lookup and local persistence. The included cainiao.py implements tracking-query (mocked), time/price estimates, history, subscriptions and address storage which match the described purpose. No unrelated credentials, services, or system resources are requested.
Instruction Scope
SKILL.md explicitly documents the workflows and the local persistence paths the runtime will use. The runtime code only reads/writes files under ~/.openclaw/data/cainiao, uses a local SQLite DB and the SecureStorage helper; it does not read unrelated system files or environment variables.
Install Mechanism
There is no formal install spec, but requirements.txt lists typical Python packages (aiohttp, cryptography, pillow, etc.). Installing the skill will likely require pip-installing those dependencies; this is expected for networking, encryption and image generation but the lack of an explicit install section means the environment must provide/allow pip installs.
Credentials
The skill requests no environment variables or external credentials. The SecureStorage component stores an on-disk Fernet key under the skill's secure directory — this is proportional to its stated need to persist encrypted local data.
Persistence & Privilege
The skill persists data under ~/.openclaw/data/cainiao (SQLite DB, encrypted files, and a .key file with mode 600). This is expected for history/subscription features and the SKILL.md documents privacy operations (privacy info/clear/export). While file permissions are restrictive, storing the symmetric key on disk means encrypted data is recoverable by anyone with the same user account access.
Assessment
This skill appears to implement what it claims: shipment lookups, estimates, and local history. Things to consider before installing: 1) Local persistence: it will create ~/.openclaw/data/cainiao and store a SQLite DB plus encrypted files and a local Fernet key (~/.openclaw/data/cainiao/secure/.key). The key is created with 0600 permissions, but if an attacker gains access to your user account they can decrypt stored data. 2) Dependencies: requirements.txt includes cryptography and other libraries that must be installed (pip). Ensure you install in a virtualenv or otherwise trust those packages. 3) Network behavior: current code uses mocked tracking responses and creates an aiohttp session but contains no hard-coded external endpoints; still be cautious about future changes that may contact external APIs. 4) Privacy controls: the skill provides privacy commands (privacy info/clear/export) — use them to inspect and remove persisted data. 5) If you need real-time official Cainiao tracking, verify whether the skill integrates with the official Cainiao API (this implementation does not). If any of these points are unacceptable, review or run the code in an isolated environment before granting it normal usage.Like a lobster shell, security has layers — review code before you run it.
latestvk97efgd664net93a7cwccwpvbs83myhs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.