kuaidi100-logistics
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A casual package-related request may trigger a Kuaidi100 API call if the agent has enough information.
The skill directs the agent to invoke it proactively for logistics-related mentions. This is aligned with the skill purpose, but users should be aware it encourages automatic external lookups.
当用户提到快递单号、物流轨迹、查快递、运费估算、预计到达时间、识别快递公司等需求时,必须使用此技能。...也要主动触发此技能。
Use the skill for explicit logistics requests, and prefer confirming before sending sensitive tracking, phone, or address details.
If configured, the API key may be used for Kuaidi100 requests and could consume the user’s quota.
The skill can use a provider API key from the environment. This is expected for Kuaidi100 API access and there is no evidence of unrelated credential use or leakage.
`KUAIDI100_API_KEY`:快递100 API Key(可选,未设置时使用免费额度)
Only set KUAIDI100_API_KEY if you intend this skill to use your Kuaidi100 account, and rotate or revoke it if no longer needed.
Package identifiers, phone numbers, addresses, and logistics history may be shared with Kuaidi100 to fulfill the request.
The skill sends tracking numbers, optional phone numbers, and address information to the external Kuaidi100 API. This is necessary for the advertised logistics functions, but it is still a sensitive data flow.
queryTrace?key=${KEY}&kuaidiNum=${快递单号}&phone=${手机号} ... --data-urlencode "recAddr=${收件地址}" ... --data-urlencode "sendAddr=${寄件地址}"Avoid sending package or contact details you do not want shared with Kuaidi100, and review any organization privacy requirements before use.