express-monitor
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: express-monitor Version: 1.0.0 The skill provides legitimate express tracking functionality by querying the public Kuaidi100 API. It manages tracking history and user-provided phone numbers locally in the `~/.openclaw/workspace/data/express/` directory. Although `SKILL.md` incorrectly claims that phone numbers are stored with encryption (they are stored in plain JSON in `phones.json`), the code in `express_monitor.py` lacks any indicators of data exfiltration, malicious execution, or unauthorized access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user's phone number and package-tracking history may remain readable on disk by other local processes or anyone with access to the workspace.
Bound phone numbers are written to a persistent local JSON file with no encryption or access-control handling shown. The same script also persists tracking history under the OpenClaw workspace.
PHONE_FILE = os.path.join(DATA_DIR, "phones.json") ... json.dump(phones, f, ensure_ascii=False, indent=2)
Either implement real encryption and clear retention controls, or accurately disclose plaintext storage and provide an easy unbind/delete command.
Users may share a phone number believing it is encrypted when the provided implementation stores it in readable form.
The documentation promises encrypted storage for bound phone numbers, but the included code saves them directly with json.dump to phones.json.
- 手机号绑定信息单独加密存储
Correct the documentation or implement verifiable encryption before asking users to bind phone numbers.
The third-party tracking service receives the package tracking number being queried.
Tracking numbers are sent to Kuaidi100 endpoints for lookup. This is purpose-aligned and partially disclosed by the API/scraping notes, but it is still an external data flow.
url = 'https://m.kuaidi100.com/query' ... data = { 'type': company_code, 'postid': tracking_number }Tell users explicitly which provider receives tracking numbers and prefer an official API if available.
The skill may fail or rely on whatever package version is already present in the environment.
The script depends on the requests package, but the skill has no install spec or dependency declaration.
import requests
Declare required Python dependencies and versions in the install metadata.