Kuaidi100 Package Tracker

The package-tracker skill bundle is a legitimate tool designed to track Chinese domestic shipments via the Kuaidi100 API and sync delivery reminders to Google Calendar. The implementation uses a Node.js wrapper (index.ts) to execute a Python core (tracker_core.py) using execFile with JSON-encoded arguments, which is a secure pattern for inter-process communication. It includes appropriate security measures such as webhook rate limiting, token-based path authentication, and optional cryptographic signature verification for incoming Kuaidi100 callbacks. No evidence of data exfiltration, malicious command execution, or prompt injection was found.