Correios Rastreio
v1.0.0Rastreie pacotes e encomendas dos Correios usando a API oficial com consultas por código, histórico e favoritos via comandos simples.
⭐ 0· 272·1 current·1 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's code and SKILL.md implement Correios package tracking via the official API (axios calls to api.correios.com.br). However, registry metadata lists no required env vars or binaries while the SKILL.md and code require CORREIOS_API_KEY and Node.js to run; this mismatch is unexplained.
Instruction Scope
Runtime instructions are narrowly scoped to calling the Correios API and local CLI operations. The SKILL.md does not mention that the tool stores history/favorites in a local data.json file (src/data.json path); the code reads/writes that file. No unrelated system paths or external endpoints beyond the Correios API are used.
Install Mechanism
There is no install spec (instruction-only claimed), but a Node.js project is included (package.json, package-lock.json, src/index.js). The skill depends on axios. The registry metadata does not declare Node as a required binary, which is inconsistent but not high-risk; no arbitrary remote downloads or extract steps are present.
Credentials
The only secret the code uses is CORREIOS_API_KEY (Bearer token) which is appropriate for calling the Correios API. However, the registry metadata does not declare this required env var (SKILL.md does), creating an inconsistency the user should resolve before trusting the package.
Persistence & Privilege
The skill does not request elevated privileges or global persistence. It writes a local data.json file (history and favorites) inside the package directory; this is normal for a CLI tool but means tracking codes are stored locally and could be inspected by others with filesystem access.
What to consider before installing
This skill's code implements Correios tracking and asks you to set CORREIOS_API_KEY — that is expected. However, the package metadata omitted the required env var and did not list Node.js as a runtime requirement; treat that as a sign the package metadata is incomplete. Before installing: (1) verify you will run it in a trusted environment with Node.js installed, (2) set CORREIOS_API_KEY in an environment you control (don't paste keys into public places), (3) be aware it stores history/favorites in a local data.json file inside the package folder (remove or inspect it if you don't want tracking codes saved), and (4) inspect the included src/index.js yourself (or run in a sandbox) — there are minor bugs/typos in the code (undefined variable used when formatting results) but no obvious exfiltration endpoints beyond the official Correios API. If you need metadata corrected (declare CORREIOS_API_KEY and Node as requirements), ask the publisher for an updated package before trusting it.Like a lobster shell, security has layers — review code before you run it.
latest
Correios Rastreio Skill
Rastreia pacotes e encomendas dos Correios via API oficial.
Gatilhos
Ative a skill usando:
"rastrear","rastreio"— rastrear código"onde está meu pacote"— verificar último"código dos correios"— ajuda"pedido","encomenda"— consultar
Como Usar
# Rastrear por código
node src/index.js track PW123456789BR
# Rastrear múltiplos códigos
node src/index.js track "PW123456789BR,AB987654321BR"
# Ver histórico local
node src/index.js history
# Adicionar aos favoritos (apelido)
node src/index.js save PW123456789BR "Presente aniversário"
# Listar favoritos
node src/index.js favorites
Configuração
Obtendo a API Key
-
Acesse o portal de desenvolvedores dos Correios: https://developers.correios.com.br
-
Crie uma conta ou faça login
-
Solicite acesso à API de Rastreamento
-
Copie sua API Key e configure:
export CORREIOS_API_KEY="sua_api_key_aqui"
Variáveis de Ambiente
CORREIOS_API_KEY— Token de autenticação (obrigatório)
API
- URL Base: https://api.correios.com.br
- Autenticação: Bearer Token
- Rate Limit: 3 requests/segundo
Comments
Loading comments...