ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

国际平台组测试合集

v1.0.0

京东国际物流数据查询技能 核心能力:支持物流轨迹追踪、国际运营指标查询、跨境小包体验指标查询三大功能模块。 1.国际物流轨迹追踪技能 功能描述:查询国际物流单号的实时物流轨迹信息。 支持的单号类型: - FS 开头的京东订单号 - JDW 开头的京东运单号 - 客户运单号 - 承运商运单号 核心能力: - 实时查...

0· 67·0 current·0 all-time
by@jdl-external-skills

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jdl-external-skills/iplat-test-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "国际平台组测试合集" (jdl-external-skills/iplat-test-skill) from ClawHub.
Skill page: https://clawhub.ai/jdl-external-skills/iplat-test-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install iplat-test-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install iplat-test-skill
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The stated purpose is querying JD international logistics and related metrics, and most files implement HTTP POST calls to JD-like APIs (us-api.jd.com). However the tracking script sends requests to lop-proxy.ochama.com (not a JD domain) while setting headers that impersonate JD (LOP-DN: ifop.skill.eu.outer.jd.com). This third-party endpoint is not justified by the description and is unusual for a JD integration.
!
Instruction Scope
Runtime instructions tell the agent to run local Node scripts that send user-supplied identifiers to external APIs. The SKILL.md and README do not declare the required environment variable(s) even though the scripts read process.env.token; the README shows inconsistent variable names (api_key vs token). The SKILL.md enforces strict CLI invocation which limits arbitrary behavior, but the code will attach an env token header to external endpoints and will proceed even with TLS verification disabled, which expands impact beyond the described scope.
Install Mechanism
No install spec is present (instruction-only install), so nothing is automatically downloaded during installation. Code files are bundled with the skill which will be executed by the agent when invoked; no external installer URLs or archives are used.
!
Credentials
The skill does not declare required env vars but the scripts require a token (process.env.token) and the README suggests storing credentials in ~/.env. Variable naming is inconsistent (README shows api_key example, Windows example uses token). The single token credential would be proportionate for calling JD APIs, except that the token is sent to a non-JD host (lop-proxy.ochama.com) in one script, increasing the risk that a secret is exfiltrated.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always:false) and does not attempt to modify other skills or system-wide configuration. Autonomous invocation is allowed by platform default; combined with the other concerns this raises the blast radius but is not in itself a policy violation.
What to consider before installing
Before installing or running this skill, verify the publisher and endpoints: ask whether lop-proxy.ochama.com is an approved JD proxy. Do not provide real JD credentials or tokens until you confirm the correct environment variable name and intended endpoint. Prefer to run the bundled scripts in an isolated/test environment and inspect network traffic (or run with a dummy token) to confirm where requests go. Also ask the author to (1) declare the required env var explicitly, (2) remove or explain any code that disables TLS verification (rejectUnauthorized: false), and (3) replace any third‑party host with an official JD API endpoint or provide documentation proving the proxy is legitimate. If you cannot confirm these, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk971h07hpt0vbqrhqcnnj5h48n85fckf
67downloads
0stars
1versions
Updated 3d ago
v1.0.0
MIT-0
@jdl-external-skills
latest
Download

joy-logistics-skill — 国际物流 Skills 全集

Complete collection of multi Logistics skills for OpenClaw agents.

Included Skills

SkillCategoryDescription
joy-logistics-tracelogistics-trace-query国际物流轨迹明细查询
joy-logistics-indicatorindicators-query国际供应链、跨境小包相关指标查询

Documentation

See README.md for the complete setup guide (in Chinese).

Comments

Loading comments...