Skillv1.0.1

ClawScan security

海外物流Skill合集 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 1:14 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to be a JD international logistics query pack, and mostly implements that, but there are several mismatches and risky choices (undeclared credentials, inconsistent env var names, an unexpected third‑party endpoint and disabled TLS verification) that do not align with its stated purpose.
Guidance: This skill largely does what it says (logistics tracking and indicators), but there are several red flags you should address before installing or providing any secret: - Do not set or expose any real API token until you confirm the exact env var name the skill expects. The code expects process.env.token or joy_token, but README suggests api_key in ~/.env — these must be reconciled. - The tracking script sends requests to lop-proxy.ochama.com rather than a jd.com domain. Ask the author why a third‑party proxy is used and request documentation proving it's an approved JD proxy. If you cannot verify, do not provide tokens. - The HTTPS requests set rejectUnauthorized: false, which disables TLS certificate verification. This weakens security and can enable man‑in‑the‑middle interception of tokens/responses. Request that the author remove this and use verified TLS. - If you must test, do so in an isolated environment with a throwaway token (no production credentials) and monitor outbound connections. Prefer to run the scripts in a network-restricted environment so they cannot reach unknown hosts until verified. - Ask the publisher to update the registry metadata to declare required env vars (exact names) and to justify any non-jd endpoints. If the author can prove the proxy is authorized and fix TLS settings and the env var mismatch, the concerns would be resolved and confidence would increase. If you want, I can draft specific questions to send to the author or produce a safe test plan to validate endpoints and env var usage.

Review Dimensions

Purpose & Capability: concernThe skill's name and documented features match the code (tracking + indicators). However the tracking script posts to lop-proxy.ochama.com (not a jd.com domain) while setting a JD-related header; that proxy is unexpected for a JD logistics skill. Also registry metadata declares no required env vars/credentials but the scripts require a token/joy_token environment variable — a clear mismatch.
Instruction Scope: concernRuntime instructions are concrete (call node scripts with positional args) and mostly scoped to querying APIs. Problems: SKILL.md/README and scripts disagree about where/what env var to store credentials (README shows api_key in ~/.env, scripts use process.env.token or joy_token). The README suggests writing secrets to ~/.env; SKILL metadata declares no secrets. Instructions also require very strict command formats (positional args, '.' placeholders) which is fine functionally but increases risk if users accidentally expose tokens in shells/logs. No explicit exfiltration code exists, but the unexpected proxy hostname and TLS verification being disabled in the HTTPS calls broaden the scope of risk.
Install Mechanism: okNo install specification (instruction-only + included scripts). No external archives or installers are fetched during install. The code is present in the bundle, so install risk is low. However the runtime code makes outbound HTTPS requests and sets rejectUnauthorized: false — a runtime choice that weakens TLS security.
Credentials: concernScripts expect a token (process.env.token or joy_token) and the README instructs writing an api_key to ~/.env under a different name. The skill package metadata does not declare any required env vars or primary credential. Requesting and using a token is proportionate to calling JD APIs, but the undeclared/misaligned env var names, plus sending that token to an unexpected third‑party host (lop-proxy.ochama.com) and disabling certificate validation, is disproportionate and suspicious.
Persistence & Privilege: okalways:false and user-invocable:true (defaults). The skill does not request any special persistent platform privileges and does not modify other skills. No persistence/auto-enable indicators present.