Cn Express Tracker
v1.0.0Query package tracking information from Chinese and international carriers using Kuaidi100 API. Supports auto-detection of carrier from tracking number. Use...
⭐ 0· 85·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (Kuaidi100-based tracking) matches what the included script does: local carrier detection + signed POST to poll.kuaidi100.com. However, the registry metadata lists no required environment variables or primary credential while the SKILL.md and scripts/track.sh both require EXPRESS_TRACKER_KEY and EXPRESS_TRACKER_CUSTOMER. That metadata/instruction mismatch is an incoherence a user should notice.
Instruction Scope
SKILL.md and scripts/track.sh limit actions to local carrier-detection logic and a single HTTPS POST to poll.kuaidi100.com and JSON parsing; they do not access other system credentials or network endpoints. But the SKILL.md explicitly instructs users to persist API keys by appending exports to ~/.bashrc or ~/.zshrc, which encourages storing secrets in plaintext in shell startup files. The Agent Integration snippet references placeholders ($KEY / $CUSTOMER) not declared in registry metadata, another mismatch.
Install Mechanism
This is an instruction-only skill with a bundled shell script; there is no install spec, no downloads, and no packages installed by the skill. It relies on standard local binaries (curl, jq, md5/openssl) which is proportionate to its purpose.
Credentials
The only secrets the skill needs (EXPRESS_TRACKER_KEY and EXPRESS_TRACKER_CUSTOMER) are appropriate for Kuaidi100 API access. However, the registry metadata claimed 'no required env vars' while the runtime instructions and script require two API credentials — this inconsistency reduces trust and should be corrected/clarified before use.
Persistence & Privilege
The skill does not request permanent platform-level privileges (always:false) and does not modify other skills or system-wide agent settings. The only persistence recommended is optional user action to add exports to shell rc files (which is a user-facing suggestion, not an automated change).
What to consider before installing
This skill’s code matches its stated purpose: it auto-detects a carrier and sends a signed HTTPS request to poll.kuaidi100.com. However, the package metadata omitted the fact that two API credentials are required — SKILL.md and scripts/track.sh do require EXPRESS_TRACKER_KEY and EXPRESS_TRACKER_CUSTOMER. Before installing or using: (1) verify the skill source and prefer running the included script locally rather than giving the agent persistent access to your secrets; (2) avoid pasting API keys into ~/.bashrc or ~/.zshrc — use ephemeral environment variables or a secrets manager if available; (3) confirm the API key/account on Kuaidi100 and limit its scope/balance; (4) if you plan to let the agent invoke the skill autonomously, be aware it will have network access to poll.kuaidi100.com and will use the provided API credentials for those calls. If the missing metadata (required env vars / primary credential) is fixed and you control the API keys, the skill appears coherent for tracking use — otherwise treat the metadata mismatch as a red flag and request the publisher correct it.Like a lobster shell, security has layers — review code before you run it.
latest
Express Tracker(快递物流查询)
Track packages from 200+ carriers (Chinese domestic + international) via Kuaidi100 API.
Setup (Required)
Users must obtain their own Kuaidi100 API credentials:
-
Register at Kuaidi100 Open Platform
- 注册企业版账号(个人也可注册)
- Free tier: 100 queries/day after verification
-
Get credentials from the Kuaidi100 Dashboard:
- 授权 Key(API Key): Found in 授权信息 → 授权key
- Customer ID: Found in 授权信息 → customer
-
Set environment variables:
export EXPRESS_TRACKER_KEY="your_api_key_here" export EXPRESS_TRACKER_CUSTOMER="your_customer_id_here"For persistent config, add to
~/.bashrcor~/.zshrc:echo 'export EXPRESS_TRACKER_KEY="your_key"' >> ~/.zshrc echo 'export EXPRESS_TRACKER_CUSTOMER="your_customer"' >> ~/.zshrc
Usage
# Auto-detect carrier and query
scripts/track.sh <tracking_number>
# Specify carrier manually
scripts/track.sh <tracking_number> <carrier_code>
Examples
# Auto-detect (recommended)
scripts/track.sh 770308811947591
# Specify carrier explicitly
scripts/track.sh SF1234567890 shunfeng
How It Works
- Carrier auto-detection: Local rule-based matching by tracking number prefix/length/format
- API query: Sends signed request to Kuaidi100 poll API with
resultv2=4for advanced status - Output: Formatted timeline with full tracking history (newest first)
Supported Carriers (Auto-Detection)
| Prefix/Pattern | Carrier | Code |
|---|---|---|
SF | 顺丰速运 | shunfeng |
YT | 圆通速递 | yuantong |
JT / J0 | 极兔速递 | jitu |
JD | 京东快递 | jd |
CN | 菜鸟速递 | cainiao |
DPK | 德邦快递 | debangkuaidi |
KYE | 跨越速运 | kuayue |
AN | 安能物流 | annengwuliu |
1Z | UPS | ups |
78/73/72/21/68 + digits | 中通快递 | zhongtong |
10/11/12/13/19/46 + 13 digits | 韵达快递 | yunda |
77/88/66/55/44 + 13-15 digits | 申通快递 | shentong |
E + letter + 9 digits + 2 letters | EMS | ems |
If auto-detection fails, specify the carrier code manually as the second argument.
Full carrier code list: Kuaidi100 Carrier Codes
Dependencies
curl— HTTP requestsjq— JSON parsing (install:brew install jq/apt install jq)opensslormd5sumormd5— MD5 signature (at least one required)
Error Codes
| Code | Meaning | Action |
|---|---|---|
| 400 | Incomplete data / wrong carrier | Check carrier code |
| 408 | Phone verification failed | SF/ZTO require phone number |
| 500 | No tracking info found | Verify tracking number and carrier |
| 503 | Signature verification failed | Check API Key and Customer ID |
| 601 | API Key expired / no balance | Recharge account |
Agent Integration
When a user provides a tracking number, run:
EXPRESS_TRACKER_KEY="$KEY" EXPRESS_TRACKER_CUSTOMER="$CUSTOMER" scripts/track.sh <number>
Parse the output and present the tracking timeline to the user. If carrier detection fails, ask the user which carrier it is.
Comments
Loading comments...