Jdl Express
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: jdl-express Version: 1.0.0 The jdl-express skill provides JD Logistics tracking and shipping estimation services with transparent local data persistence. It utilizes a dedicated security module (security.py) to manage encrypted local storage using Fernet (cryptography), and includes explicit privacy commands (info, clear, export) for user data management. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found; the code logic is consistent with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could make decisions based on fabricated package status, locations, or delivery dates.
The tracking function constructs fixed, exact-looking shipment events and delivery details locally rather than showing a visible JD Logistics API lookup. For a skill advertised for shipment tracking, this can mislead users into believing mock data is real.
events=[TrackingEvent(... description="快件已到达【北京顺义分拣中心】" ...), TrackingEvent(... description="快件已从【上海青浦分拣中心】发出" ...)], estimated_delivery=(datetime.now() + timedelta(days=1))..., sender="上海市", receiver="北京市"
Treat tracking output as illustrative unless the skill clearly labels it as mock data or adds a verified official JD Logistics data source; verify shipments directly with JD Logistics.
Tracking numbers, shipment history, and possible address/phone data may remain on the device after use.
The skill intentionally persists shipment history, subscriptions, and possible address records locally. This is disclosed and scoped to the skill's data directory, with privacy controls, but it can still contain personal logistics data.
`~/.openclaw/data/jdl-express/jdlexpress.db` - stores query history - stores shipment-subscription records - may store saved address records ... `secure/.key` - stores a local encryption key file with mode `600`
Use the privacy clear/export commands when needed, and avoid saving address records on shared or untrusted computers.