Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Logistics
v1.0.0Manage end-to-end logistics: track shipments, optimize routes, coordinate carriers, handle warehouses, customs, returns, fleet, and monitor KPIs.
⭐ 0· 58·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes standard logistics capabilities (tracking, routing, carriers, warehouses, KPIs) that match the skill name and description. However, many of those capabilities require access to external systems (carrier APIs, TMS, customer portals, internal dashboards) and credentials; the package declares no environment variables, credentials, or config paths. The omission makes it unclear how the skill would actually perform integrations.
Instruction Scope
Runtime instructions instruct the agent to 'pull latest tracking data from carrier API or TMS', 'ping carrier API', 'update customer-facing status portal and internal dashboard', 'assign drivers', 'generate booking confirmation and pickup request', and 'draft/retrieve customs documents'. These are high-impact actions that imply read/write access to external/internal systems and handling of sensitive data (orders, addresses, PII, contracts). The SKILL.md is vague about specific endpoints, authentication, and authorization checks, granting broad operational discretion to the agent.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. This reduces risk from arbitrary downloads or package installs.
Credentials
There are no declared required env vars or primary credentials, yet the instructions expect access to carrier/TMS APIs, dashboards, and potentially internal systems. In practice this skill would need multiple credentials (carrier API keys, TMS credentials, DB or portal auth) and scoped permissions. The lack of declared secrets is a mismatch: either metadata is incomplete or the skill implicitly relies on agent-level credentials, which is a risk.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable (normal). It does not declare modifications to other skills or system-wide settings in the SKILL.md. Autonomous model invocation is enabled by default (not a standalone flag), which is expected for skills but increases impact if the integration/access questions above are not resolved.
What to consider before installing
This skill's behavior fits a logistics agent, but the metadata is incomplete: ask the publisher for a clear list of required API endpoints, environment variables, and the exact permissions it needs (read-only vs write) for each system (carrier APIs, TMS, ERP, dashboards). Do not provide broad org or admin credentials. Require least-privilege service accounts and explicit consent/authorization for any write operations (assigning drivers, booking shipments, generating POs). Test the skill in a staging environment with synthetic data first, enable detailed audit logging, and restrict autonomous invocation until you verify which systems it will contact and how credentials are stored/rotated. Because the source/homepage is unknown, verify the publisher identity and request an explanation for why no credentials are declared in the package metadata; that missing information is the main reason this skill is flagged as suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk97fbyzp6b9ty39czp5mmvma2584cb2m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.