Post.at Tracking
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent post.at CLI reference, but it uses postal account credentials and can change package delivery instructions, so users should confirm sensitive actions.
This looks like a normal instruction-only helper for the post.at CLI. Before using it, make sure the `post-at` executable is the trusted one, keep your postal account credentials secure, and do not let the agent change delivery-place settings unless you have explicitly approved the tracking number and location.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The CLI can access private delivery details under the user's postal account.
The skill requires the user's post.at account credentials to access delivery information. This is expected for the integration, but it is sensitive account authority and is not reflected in the registry's credential/env-var declarations.
requires your own account credentials. Credentials: `POST_AT_USERNAME` and `POST_AT_PASSWORD` environment variables (or `--username` / `--password` options).
Use only with the intended post.at CLI, keep credentials out of chat/history where possible, and store environment variables securely.
A mistaken or overbroad routing change could cause packages to be left in an unintended or less secure location.
The skill documents commands that can change delivery-place routing, including a bulk-oriented workflow. This matches the stated purpose, but it affects where physical packages may be left.
Set all upcoming deliveries to door: ```bash # First list deliveries post-at deliveries --json > /tmp/deliveries.json # Then set place for each (requires scripting) # Example for a specific one: post-at routing place 1042348411302810212306 \
Require explicit user confirmation before any `routing place` command, especially bulk changes, and verify tracking numbers and delivery location text before running.
Installing or running the wrong external CLI could expose post.at credentials or delivery data.
The skill is instruction-only and invokes an external `post-at` command, while the provided artifacts include no install spec or CLI code. This is not suspicious by itself, but users should verify the external CLI provenance.
homepage: https://github.com/krausefx/post-at-cli ... ```bash post-at login ```
Install the CLI only from the intended trusted source and verify the executable before using it with postal account credentials.