中文快递查询(免api)
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may fail on systems without python3 even though no binary requirement is declared.
The skill depends on a python3 runtime, while the registry requirements declare no required binaries; this is a minor metadata/runtime dependency gap, not hidden execution.
python3 scripts/track.py --num <快递单号>
Verify python3 is available before use; the publisher should declare the runtime dependency in metadata.
A user could share partial phone information in the chat while checking a package.
The skill may ask for the last four digits of a sender or recipient phone number for some SF tracking queries; this is purpose-aligned but is still personal verification information.
顺丰单号部分需要寄件人或收件人手机号后四位(单独询问用户)
Ask for phone-number suffixes only when the courier lookup truly requires it, explain why, and avoid storing or reusing that information.
Kuaidi100 receives the queried tracking number, and tracking results may reveal shipment timing and location history.
The script posts the courier code and user-supplied tracking number to Kuaidi100 to retrieve tracking data.
QUERY_URL = "https://www.kuaidi100.com/query" ... params = {"type": com, "postid": num}Use the skill only for tracking numbers the user agrees to share with Kuaidi100, and avoid adding unnecessary personal details.