kuaidi100-skill-快递100物流查询
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it claims—query 快递100 logistics APIs—but users should know it can send tracking numbers, phone numbers, addresses, and an optional API key to 快递100.
This skill is reasonable for 快递100 logistics queries. Before installing or using it, be comfortable with sending shipment information to api.kuaidi100.com, and use a dedicated API key if you configure one.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use this skill whenever it detects a shipping or tracking request, rather than waiting for an explicit tool-use confirmation.
The skill instructs the agent to invoke it automatically for logistics-related mentions. This is purpose-aligned, but users should understand it may call the external service proactively for relevant requests.
当用户提到快递单号、物流轨迹、查快递、运费估算、预计到达时间、识别快递公司等需求时,必须使用此技能。...也要主动触发此技能。
Use the skill for intended logistics queries, and ask for confirmation before sending phone numbers or full addresses if the user has not clearly requested a lookup.
If configured, the user's 快递100 API key will be sent to the 快递100 API and may be visible in request logs controlled by that provider.
The script can use an API key from local config or an environment variable and includes it in the HTTPS GET query sent to 快递100. This matches the service purpose, but it is still credential handling.
key: getKey(), ... const fullPath = `${BASE_PATH}${path}?${queryStr}`; ... return process.env.KUAIDI100_API_KEY || 'null';Use a dedicated, revocable API key with appropriate quota limits, and avoid placing higher-privilege or unrelated credentials in config.json or KUAIDI100_API_KEY.
Tracking numbers, phone numbers, origin/destination addresses, and logistics history may be shared with 快递100 to perform the requested lookup or estimate.
The script sends shipment-related data, including optional phone numbers and addresses, to the fixed external provider api.kuaidi100.com. This is expected for the logistics functions, but it is a personal-data flow.
const BASE_URL = 'api.kuaidi100.com'; ... params.phone = phone; ... recAddr: recAddr, sendAddr: sendAddr
Only provide the minimum shipping details needed for the requested query, and avoid sending phone numbers or full addresses unless the carrier/API requires them.