Kuaidi100 Package Tracker
ReviewAudited by ClawScan on May 13, 2026.
Overview
This appears to be a legitimate package-tracking and calendar-reminder skill, but it needs delivery-service and optional Google Calendar credentials and should have its webhook secured.
This skill looks purpose-aligned. Before installing, be comfortable providing Kuaidi100 credentials and optional Google Calendar OAuth credentials, expect a Python helper to run locally, set a strong webhook token and strict signature verification if possible, and remember that package tracking data will be stored in your OpenClaw workspace.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and configuring the skill gives it access to subscribe to package tracking and, if Google credentials are provided, create or update calendar reminders.
The plugin requires Kuaidi100 API credentials and can optionally use Google Calendar OAuth credentials.
"kuaidi100" ... "required": ["customer", "key"] ... "calendar" ... "client_secret" ... "refresh_token"
Use only credentials intended for this integration, prefer a dedicated calendar if possible, and rotate any API or OAuth secrets if they are exposed.
If the public webhook URL or path token leaks, forged callbacks could update local package state and potentially trigger calendar reminder changes.
The webhook is designed to receive public Kuaidi100 callbacks, and its default signature mode accepts callbacks rather than rejecting invalid or unsigned ones.
"soft" (default): Accept all callbacks, log verification result; "strict": Reject callbacks with invalid or missing signatures
Configure a strong webhook token and salt, use signatureMode "strict" when compatible, and avoid exposing the webhook beyond what Kuaidi100 needs.
Tool use and webhook handling execute local Python code with the configured credentials and package data.
The plugin runs its included Python core through python3 for tool and webhook operations.
execFileAsync("python3", [SCRIPT, command, JSON.stringify(args)], { env, timeout: 30_000 })Install only from a trusted package source and ensure the intended Python runtime is used.
Delivery details and package notes remain on disk and may be reused in future package-listing or reminder actions.
The skill persists tracking numbers, package status, and related delivery information locally for later reuse.
Local state — Package data stored locally, `list_packages` costs zero API quota
Remove tracking entries when no longer needed and protect or delete the local state file if the machine is shared.
The skill remains active after setup and can continue receiving package callbacks until disabled.
The plugin starts with OpenClaw so it can keep its webhook route available for package push updates.
"activation": { "onStartup": true }Disable or uninstall the skill if you no longer want it to receive package updates or write reminders.