ClawHub

Express Logistics Track - 快递物流查询

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims—query package tracking through JisuAPI—but it sends tracking details and a Jisu API key to that provider.

This appears safe to install if you trust JisuAPI and are comfortable providing a JISU_API_KEY. Be aware that shipment identifiers and optional phone suffixes go to that provider, and verify any Python dependencies from a trusted environment.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Your Jisu API key will be used for package-tracking queries and may be associated with usage or billing/quota on that provider.

Why it was flagged

The skill uses a local Jisu API key to authenticate requests to the documented provider. This is purpose-aligned and disclosed, but it grants the skill authority to consume that API account's quota.

Skill content
appkey = (os.getenv("JISU_API_KEY")) ... params = {"appkey": appkey, "number": req.get("number", ""), "type": req.get("type", "auto")}
Recommendation

Use a dedicated or easily rotatable Jisu API key if possible, and monitor provider usage.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

JisuAPI receives the shipment identifier and, when provided, the last four digits of a sender/recipient phone number.

Why it was flagged

The code sends the tracking number, courier type, optional phone-number suffix, and API key to the external JisuAPI endpoint over HTTPS. This is expected for the skill's purpose, but it is still a third-party data flow.

Skill content
API_URL = "https://api.jisuapi.com/express/query" ... if mobile: params["mobile"] = mobile ... resp = requests.get(API_URL, params=params, timeout=10)
Recommendation

Use the skill only for shipments you are authorized to check, and avoid providing the phone suffix unless the courier requires it.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

If requests is not already installed, a user may need to resolve that dependency separately.

Why it was flagged

The code depends on the external Python requests package, while the supplied install information lists no install spec or pinned Python dependency. The dependency is expected for HTTP API use, but it is not fully declared.

Skill content
import requests
Recommendation

Install dependencies from a trusted Python environment; the maintainer should add a requirements or install specification with a pinned requests version.