国际平台组测试合集
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed query value could be interpreted by the shell as an extra command or could change the arguments sent to the script.
The skill instructs the agent to place user-derived parameter values directly into a shell command without quoting or escaping.
每个参数值不需要加任何引号,直接传值 ... node {baseDir}/scripts/get_isc_data.js dims的值 ... customerCodeList的值Use a structured command invocation with an argument array, or strictly validate and safely quote all user-derived values before execution.
On an untrusted or compromised network, the token and logistics query data could be exposed to a man-in-the-middle attacker.
The script sends the provider token in an HTTPS request while disabling certificate verification; the same unsafe TLS pattern appears in the other API scripts.
headers: { ... 'token': token, ... },
rejectUnauthorized: falseRemove `rejectUnauthorized: false` and require normal TLS certificate validation for all credential-bearing API requests.
Users may not realize before install that the skill needs a JD logistics API token and will send it to external provider endpoints.
The registry metadata does not declare the needed credential even though the capability signal and scripts indicate a sensitive token is required.
Required env vars: none ... Primary credential: none ... Capability signals - requires-sensitive-credentials
Declare the required `token` environment variable or primary credential clearly, including the intended endpoints and minimum token scope.
It may be harder to verify exactly which package identity and version you are trusting.
The bundled package metadata differs from the registry entry shown for `iplat-test-skill` version `1.0.0`, which creates provenance and update-tracking ambiguity.
"slug": "i-logisitics-skill", "version": "1.0.1"
Confirm the publisher and package identity, and ask the maintainer to align registry metadata, `_meta.json`, and origin metadata.