Package Tracker
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: package-tracker Version: 1.0.0 The package-tracker skill is a legitimate utility for monitoring shipments via the 17track API. It uses a local SQLite database (tracker.db) to store tracking history and provides a CLI (cli.py) and a scheduled update script (check_updates.py). The code follows standard practices, uses well-known libraries (httpx, python-dotenv), and contains no evidence of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may download current versions of Python packages from the package index.
The setup script installs dependencies at setup time; the referenced requirements file lists httpx and python-dotenv without version pins. This is common for a Python CLI skill but relies on external package supply chain.
"$SCRIPT_DIR/venv/bin/pip" install -q --upgrade pip "$SCRIPT_DIR/venv/bin/pip" install -q -r "$SCRIPT_DIR/requirements.txt"
Review setup.sh before running it, consider pinning dependency versions, and install only in the intended virtual environment.
Anyone with access to the .env file could potentially see service tokens you place there.
The setup template creates local fields for a 17track API key and optional Telegram credentials. The 17track key is expected for the stated service; the Telegram fields are optional and not required by the core SKILL.md workflow.
SEVENTEEN_TRACK_API_KEY= # Telegram notifications (optional) TELEGRAM_BOT_TOKEN= TELEGRAM_CHAT_ID=
Add only the credentials you actually need, keep scripts/.env private, and avoid entering optional Telegram credentials unless you intend to use direct Telegram notifications.
Package details and descriptions may remain on disk after use.
The skill intentionally persists tracking numbers, descriptions, event history, and API usage locally. This is disclosed and purpose-aligned, but shipment data can be personal.
**Database:** `scripts/data/tracker.db` (SQLite) **Tables:** `packages`, `tracking_events`, `api_usage`
Avoid overly sensitive package descriptions, protect the skill directory, and delete the local database if you no longer want the history retained.
Shipment updates could appear in chat apps or logs configured for OpenClaw messaging.
Update notifications are emitted to stdout for OpenClaw to forward to configured messaging channels. This is the documented notification design, but it can expose tracking status and descriptions to those channels.
OpenClaw reads this output and relays it via its native message tool — which works on Telegram, Signal, Discord, WhatsApp, or whatever channel the user has configured.
Use only trusted messaging channels and be aware that package descriptions and tracking numbers may be included in notifications.
If you add the cron job or heartbeat, the checker can continue polling 17track and producing notifications on a schedule.
The skill documents optional cron/OpenClaw heartbeat use for periodic background checks. This is disclosed and user-directed, not hidden persistence.
0 */3 * * * cd /root/.openclaw/workspace/skills/package-tracker && scripts/venv/bin/python scripts/check_updates.py --quiet
Only enable scheduled checks if you want ongoing background polling, and remove the cron/heartbeat entry when you stop using the skill.