Package Tracker
PassAudited by ClawScan on May 10, 2026.
Overview
This package-tracking skill appears to match its purpose, but it needs a 17track key, installs Python packages, saves shipment history locally, and optional scheduled checks can send updates to messaging channels.
Before installing, review the full tracker.py file because the supplied artifact is truncated, then run setup.sh only if you are comfortable installing its Python dependencies. Use a dedicated 17track API key, keep scripts/.env private, avoid sensitive package descriptions, and enable cron or heartbeat checks only if you want ongoing background package polling.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may download current versions of Python packages from the package index.
The setup script installs dependencies at setup time; the referenced requirements file lists httpx and python-dotenv without version pins. This is common for a Python CLI skill but relies on external package supply chain.
"$SCRIPT_DIR/venv/bin/pip" install -q --upgrade pip "$SCRIPT_DIR/venv/bin/pip" install -q -r "$SCRIPT_DIR/requirements.txt"
Review setup.sh before running it, consider pinning dependency versions, and install only in the intended virtual environment.
Anyone with access to the .env file could potentially see service tokens you place there.
The setup template creates local fields for a 17track API key and optional Telegram credentials. The 17track key is expected for the stated service; the Telegram fields are optional and not required by the core SKILL.md workflow.
SEVENTEEN_TRACK_API_KEY= # Telegram notifications (optional) TELEGRAM_BOT_TOKEN= TELEGRAM_CHAT_ID=
Add only the credentials you actually need, keep scripts/.env private, and avoid entering optional Telegram credentials unless you intend to use direct Telegram notifications.
Package details and descriptions may remain on disk after use.
The skill intentionally persists tracking numbers, descriptions, event history, and API usage locally. This is disclosed and purpose-aligned, but shipment data can be personal.
**Database:** `scripts/data/tracker.db` (SQLite) **Tables:** `packages`, `tracking_events`, `api_usage`
Avoid overly sensitive package descriptions, protect the skill directory, and delete the local database if you no longer want the history retained.
Shipment updates could appear in chat apps or logs configured for OpenClaw messaging.
Update notifications are emitted to stdout for OpenClaw to forward to configured messaging channels. This is the documented notification design, but it can expose tracking status and descriptions to those channels.
OpenClaw reads this output and relays it via its native message tool — which works on Telegram, Signal, Discord, WhatsApp, or whatever channel the user has configured.
Use only trusted messaging channels and be aware that package descriptions and tracking numbers may be included in notifications.
If you add the cron job or heartbeat, the checker can continue polling 17track and producing notifications on a schedule.
The skill documents optional cron/OpenClaw heartbeat use for periodic background checks. This is disclosed and user-directed, not hidden persistence.
0 */3 * * * cd /root/.openclaw/workspace/skills/package-tracker && scripts/venv/bin/python scripts/check_updates.py --quiet
Only enable scheduled checks if you want ongoing background polling, and remove the cron/heartbeat entry when you stop using the skill.