Jdl Express
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could make decisions based on fabricated package status, locations, or delivery dates.
The tracking function constructs fixed, exact-looking shipment events and delivery details locally rather than showing a visible JD Logistics API lookup. For a skill advertised for shipment tracking, this can mislead users into believing mock data is real.
events=[TrackingEvent(... description="快件已到达【北京顺义分拣中心】" ...), TrackingEvent(... description="快件已从【上海青浦分拣中心】发出" ...)], estimated_delivery=(datetime.now() + timedelta(days=1))..., sender="上海市", receiver="北京市"
Treat tracking output as illustrative unless the skill clearly labels it as mock data or adds a verified official JD Logistics data source; verify shipments directly with JD Logistics.
Tracking numbers, shipment history, and possible address/phone data may remain on the device after use.
The skill intentionally persists shipment history, subscriptions, and possible address records locally. This is disclosed and scoped to the skill's data directory, with privacy controls, but it can still contain personal logistics data.
`~/.openclaw/data/jdl-express/jdlexpress.db` - stores query history - stores shipment-subscription records - may store saved address records ... `secure/.key` - stores a local encryption key file with mode `600`
Use the privacy clear/export commands when needed, and avoid saving address records on shared or untrusted computers.