中文快递查询(免api)
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: cn-express-tracker-noapi Version: 0.1.1 The skill bundle is a legitimate tool for tracking Chinese express packages using the Kuaidi100 public interface. The Python script (scripts/track.py) uses standard libraries (urllib) to perform POST requests to a known tracking service and contains no evidence of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may fail on systems without python3 even though no binary requirement is declared.
The skill depends on a python3 runtime, while the registry requirements declare no required binaries; this is a minor metadata/runtime dependency gap, not hidden execution.
python3 scripts/track.py --num <快递单号>
Verify python3 is available before use; the publisher should declare the runtime dependency in metadata.
A user could share partial phone information in the chat while checking a package.
The skill may ask for the last four digits of a sender or recipient phone number for some SF tracking queries; this is purpose-aligned but is still personal verification information.
顺丰单号部分需要寄件人或收件人手机号后四位(单独询问用户)
Ask for phone-number suffixes only when the courier lookup truly requires it, explain why, and avoid storing or reusing that information.
Kuaidi100 receives the queried tracking number, and tracking results may reveal shipment timing and location history.
The script posts the courier code and user-supplied tracking number to Kuaidi100 to retrieve tracking data.
QUERY_URL = "https://www.kuaidi100.com/query" ... params = {"type": com, "postid": num}Use the skill only for tracking numbers the user agrees to share with Kuaidi100, and avoid adding unnecessary personal details.