Joy Logistics

v1.0.3

京东国际物流数据查询技能核心能力：支持物流轨迹追踪、国际运营指标查询、跨境小包体验指标查询三大功能模块。 1.国际物流轨迹追踪技能功能描述：查询国际物流单号的实时物流轨迹信息。支持的单号类型： - FS 开头的京东订单号 - JDW 开头的京东运单号 - 客户运单号 - 承运商运单号核心能力： - 实时查...

⭐ 0· 124·0 current·0 all-time

by@joy-logistics

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for joy-logistics/joy-logistics.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Joy Logistics" (joy-logistics/joy-logistics) from ClawHub.
Skill page: https://clawhub.ai/joy-logistics/joy-logistics
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install joy-logistics

ClawHub CLI

Package manager switcher

npx clawhub@latest install joy-logistics

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill claims no required environment variables or binaries, but all three included scripts expect a 'token' environment variable and the SKILL README shows steps to export a token. The SKILL.md and scripts assume Node.js is available (they run 'node ...') but required binaries do not list node. Requesting a token is coherent with calling JD APIs, but omitting that requirement from metadata is an inconsistency and reduces transparency. Additionally, one tracking script posts to lop-proxy.ochama.com (not a jd.com host), which does not obviously match the stated JD integration.

Instruction Scope

Runtime instructions direct the agent to run local Node scripts that build JSON payloads and POST them to external HTTP endpoints while including the 'token' header. Scripts follow tight parameter rules and do not ask to read unrelated local files (commented code to read ~/.env is inactive), but they do set rejectUnauthorized: false on HTTPS requests—this disables TLS certificate validation and broadens attack surface by allowing connections to servers with invalid/forged certs. The execution of network calls with an undeclared secret is out-of-band relative to declared metadata.

ℹ

Install Mechanism

There is no install spec (instruction-only at registry level), which reduces supply-chain risk from arbitrary downloads. However code files are packaged with the skill and will be executed by running 'node' commands; the package does not declare Node as a required binary. No external archives or installers are fetched.

Credentials

The code requires a 'token' environment variable (and README even shows how to set one), but the skill metadata lists no required env vars and no primary credential—this is a clear mismatch. Supplying 'token' gives the skill access to whatever the external endpoints honor; combined with the unexpected hostname (lop-proxy.ochama.com) and disabled TLS validation, the secret could be sent to an untrusted party. The sample token in README may encourage users to store/ reuse tokens without understanding scope.

✓

Persistence & Privilege

The skill does not request persistent/always-on installation (always:false), does not modify other skills or system-wide settings, and does not declare any config paths to access other skills' credentials. It requires local execution but does not attempt to gain elevated platform privileges.

What to consider before installing

This skill appears to implement JD logistics tracking and indicator queries, but there are several red flags you should address before installing or using it: - The code requires an environment variable named 'token' (used as an API auth header), but the skill metadata does not declare any required credentials. Do not set or export any sensitive token unless you know exactly which service issued it and trust the skill owner. - One tracking script posts to lop-proxy.ochama.com rather than an obvious jd.com API; confirm with the author/maintainer why this host is used and whether it is an authorized proxy. If you cannot verify the endpoint, do not provide real credentials. - All HTTPS requests set rejectUnauthorized: false (TLS certificate validation disabled). This allows connections to servers with invalid/forged certificates and makes man-in-the-middle attacks easier. Request that this be removed (set to true or omitted) before using with real secrets. - The skill assumes Node.js is available and instructs running local node scripts, but the registry metadata does not list node as a required binary. Ensure your environment is isolated (e.g., run in a sandbox) when testing. Recommended next steps before trusting this skill: 1. Ask the publisher to update registry metadata to declare the required 'token' env var and to explain the exact authority/scope of that token (which API it authenticates to). 2. Ask why lop-proxy.ochama.com is used and for proof that it is an approved proxy for JD services; replace it with official endpoints if possible. 3. Require the removal of rejectUnauthorized: false so TLS is validated. 4. Test in a safe environment with a non-production token and monitor network traffic to verify where requests go. If the author cannot satisfactorily explain the hostname and TLS settings, treat this skill as untrusted and avoid supplying real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97573j76rb32r79q8wb4f6zc185f73v

124downloads

0stars

4versions

Updated 3d ago

v1.0.3

MIT-0

joy-logistics — 国际物流 Skills 全集

Complete collection of multi Logistics skills for OpenClaw agents.

Included Skills

Skill	Category	Description
joy-logistics-trace	logistics-trace-query	国际物流轨迹明细查询
joy-logistics-indicator	indicators-query	国际供应链、跨境小包相关指标查询

Documentation

See README.md for the complete setup guide (in Chinese).

Comments

Loading comments...