Jdl Express
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill discloses local storage, but its tracking code appears to generate exact-looking mock JD Logistics updates instead of querying the carrier.
Review this skill carefully before relying on it for real package tracking. It appears safe from an install/exfiltration standpoint in the provided artifacts, but the visible tracking implementation looks like mock data, so verify shipment status with JD Logistics directly and clear local history if you do not want shipment details kept on disk.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could make decisions based on fabricated package status, locations, or delivery dates.
The tracking function constructs fixed, exact-looking shipment events and delivery details locally rather than showing a visible JD Logistics API lookup. For a skill advertised for shipment tracking, this can mislead users into believing mock data is real.
events=[TrackingEvent(... description="快件已到达【北京顺义分拣中心】" ...), TrackingEvent(... description="快件已从【上海青浦分拣中心】发出" ...)], estimated_delivery=(datetime.now() + timedelta(days=1))..., sender="上海市", receiver="北京市"
Treat tracking output as illustrative unless the skill clearly labels it as mock data or adds a verified official JD Logistics data source; verify shipments directly with JD Logistics.
Tracking numbers, shipment history, and possible address/phone data may remain on the device after use.
The skill intentionally persists shipment history, subscriptions, and possible address records locally. This is disclosed and scoped to the skill's data directory, with privacy controls, but it can still contain personal logistics data.
`~/.openclaw/data/jdl-express/jdlexpress.db` - stores query history - stores shipment-subscription records - may store saved address records ... `secure/.key` - stores a local encryption key file with mode `600`
Use the privacy clear/export commands when needed, and avoid saving address records on shared or untrusted computers.