ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

快递查询demo

v1.0.0

查询快递物流轨迹和签收状态,支持自动识别快递公司及多家主流快递服务,需配置快递100授权Key。

0· 80·0 current·0 all-time
by@blueyan163-bot

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for blueyan163-bot/kauidi-express.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "快递查询demo" (blueyan163-bot/kauidi-express) from ClawHub.
Skill page: https://clawhub.ai/blueyan163-bot/kauidi-express
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install kauidi-express

ClawHub CLI

Package manager switcher

npx clawhub@latest install kauidi-express
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill claims to query KuaiDi100 and the code posts to kuadi100's poll endpoints using KUAIDI100_KEY and KUAIDI100_CUSTOMER, which is coherent. However the registry metadata reported 'required env vars: none' while SKILL.md and the code require two env vars—this metadata mismatch is inconsistent and surprising.
!
Instruction Scope
SKILL.md instructs running 'python3 skills/kuaidi100/kuaidi100.py' and describes a 'companies' command, but the provided code file is express.py (path/name mismatch). The code's handling of the 'companies' argument is incomplete: it contains an ellipsis (...) and then proceeds to json.loads(arg), so passing 'companies' will cause JSON parsing failure. The instructions otherwise only reference the expected env vars and the KuaiDi100 API endpoints and do not attempt to read unrelated files or credentials.
Install Mechanism
No install spec (instruction-only) — low risk for unexpected installs. However the Python script uses the 'requests' library which is not declared in SKILL.md or the manifest; missing dependency information may cause runtime failure. No downloads or external install URLs are present.
Credentials
The only credentials the code uses are KUAIDI100_KEY and KUAIDI100_CUSTOMER, which are appropriate for this KuaiDi100 integration. The inconsistency is that the registry metadata omitted these required env vars while SKILL.md includes them; require/manifest mismatch should be resolved before trusting the package.
Persistence & Privilege
Skill does not request elevated persistence (always: false), does not attempt to modify other skills or system configuration, and does not include an install script that would write persistent files. Autonomous invocation is permitted (platform default) but is not combined with other concerning privileges.
What to consider before installing
This skill looks like a legitimate KuaiDi100 tracking helper, but there are practical inconsistencies and a bug you should address before enabling it. Do not install or expose other credentials until resolved. Specific actions to consider: - Do not trust the registry metadata that lists no env vars; the code requires KUAIDI100_KEY and KUAIDI100_CUSTOMER. Only provide those KuaiDi100 credentials if you obtained them yourself. - Fix or confirm the script path: SKILL.md references skills/kuaidi100/kuaidi100.py but the repo contains express.py. Either rename the file or update SKILL.md. - The 'companies' command is not implemented correctly (the code will try to parse the literal 'companies' as JSON). Test the script in a safe environment and correct the implementation if you need that feature. - Ensure Python and the 'requests' library are installed on the agent host (the package doesn't declare this dependency). - Because there are inconsistencies between manifest, SKILL.md, and code, prefer to run the script manually (outside an agent) for testing, and audit network requests to confirm they only go to poll.kuaidi100.com before enabling autonomous agent use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e9cb7e06ejvxx2hemd2mbg9844ncp
80downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@blueyan163-bot
latest
Download

name: kuaidi100 description: 使用快递100 API 查询快递物流轨迹、签收状态,支持自动识别快递公司及多家主流快递公司查询。 metadata: { "openclaw": { "emoji": "📦", "requires": { "bins": ["python3"], "env": ["KUAIDI100_KEY", "KUAIDI100_CUSTOMER"] }, "primaryEnv": "KUAIDI100_KEY" } } 快递100查询(KuaiDi100) 基于 快递100 API 的 OpenClaw 技能,用于查询快递物流轨迹、签收状态等信息,支持自动识别快递公司。

使用技能前需要申请授权Key,申请地址:https://www.kuaidi100.com/manager/v2/query/overview

环境变量配置

Linux / macOS

export KUAIDI100_KEY="your_key_here" export KUAIDI100_CUSTOMER="your_customer_id"

Windows PowerShell

$env:KUAIDI100_KEY="your_key_here" $env:KUAIDI100_CUSTOMER="your_customer_id" 脚本路径 脚本文件:skills/kuaidi100/kuaidi100.py

使用方式

  1. 自动识别快递公司查询 python3 skills/kuaidi100/kuaidi100.py '{"number":"JDxxxxx"}'
  2. 指定快递公司查询 python3 skills/kuaidi100/kuaidi100.py '{"number":"JDxxxxx","com":"jd"}'
  3. 查询支持的快递公司列表 python3 skills/kuaidi100/kuaidi100.py companies 返回值为数组,每项形如:

{ "comCode": "shunfeng", "name": "顺丰速运" } 请求参数(查询时传入 JSON) 字段名 类型 必填 说明 number string 是 快递单号 com string 否 快递公司代号,不填则自动识别 phone string 否 收/寄件人手机号后四位(部分快递需要) 示例:

{ "number": "JDxxxxx", "com": "jd" } 返回结果示例 脚本直接输出接口返回的 JSON,典型结构:

{ "message": "ok", "nu": "JDxxxxx", "com": "jd", "state": "3", "data": [ { "time": "2024-01-15 14:30:00", "context": "已签收,签收人:本人" }, { "time": "2024-01-15 08:20:00", "context": "配送员正在为您派送中" }, { "time": "2024-01-14 20:15:00", "context": "快件到达【北京朝阳区东城分部】 } ] } 状态码说明(state 字段):

代号 说明 0 在途中 1 已揽收 2 异常 3 已签收 4 退签 5 派送中 6 退回 错误时输出示例:

{ "error": "api_error", "message": "快递公司代码错误", "status": "0" } 支持的快递公司 代号 名称 shunfeng 顺丰速运 yuantong 圆通速递 zhongtong 中通快递 yunda 韵达快运 shentong 申通快递 jtexpress 极兔速递 tiantian 天天快递 ems EMS youzhengguonei 中国邮政 debang 德邦快递 jd 京东快递 suning 苏宁快递 在 OpenClaw 中的推荐用法 用户例如:「帮我查一下京东快递 JDxxxxx」 代理构造:python3 skills/kuaidi100/kuaidi100.py '{"number":"JDxxxxx","com":"jd"}'。 解析返回的 JSON,为用户总结:当前状态、是否签收、最近几条轨迹等。 OpenClaw 技能配置 在 OpenClaw 配置文件中添加:

{ "skills": { "kuaidi100": { "enabled": true } } } 设置环境变量后即可使用。

Comments

Loading comments...