17track package tracking
v0.1.0Track parcels via the 17TRACK API (local SQLite DB, polling + optional webhook ingestion)
⭐ 4· 2k·6 current·6 all-time
byTristan Manchester@tristanmanchester
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required env vars, and included code align: the tool talks to 17TRACK APIs, stores data in a workspace-local SQLite DB, and optionally ingests webhooks. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
SKILL.md and the CLI instruct the agent to initialise a local DB, register tracking numbers, poll (sync) and optionally run or ingest webhooks. The skill auto-detects a workspace by walking the script's parent directories (or using TRACK17_WORKSPACE_DIR/CLAWDBOT_WORKSPACE_DIR) and will read/write under <workspace>/packages/track17/. This file I/O and optional webhook-server behavior is within the stated scope but worth noting: running the server or processing inbox files gives the skill permission to accept and store external payloads and to write into the workspace directory.
Install Mechanism
There is no install spec and the included Python script uses only the standard library (no external downloads or package installs). That minimizes install-time risk; the code is included with the skill rather than fetched from an arbitrary URL.
Credentials
Only TRACK17_TOKEN is required (primaryEnv). Optional envs (TRACK17_WEBHOOK_SECRET, TRACK17_DATA_DIR, TRACK17_WORKSPACE_DIR, TRACK17_LANG) are plausible and relevant. No unrelated secrets or large sets of credentials are requested.
Persistence & Privilege
The skill is not marked always:true, does not request to modify other skills, and writes only to its own workspace-local data dir by default. It can be invoked autonomously (platform default), which is expected for skills, but that is not combined with elevated platform privileges.
Assessment
This skill is coherent with its purpose, but review and small precautions before enabling are recommended:
- Confirm TRACK17_TOKEN is a token you intend to give to this skill and use a token with minimal scope if possible.
- Be aware the script writes a SQLite DB and raw webhook payloads under <workspace>/packages/track17/ (or TRACK17_DATA_DIR if set). If you prefer a specific location, set TRACK17_DATA_DIR or TRACK17_WORKSPACE_DIR before first use.
- If you enable webhooks: prefer to run the webhook-server bound to localhost behind a reverse proxy or use a tunnelling service (as the README suggests). Do not run the webhook-server publicly without configuring TRACK17_WEBHOOK_SECRET and verifying signatures.
- Inspect scripts/track17.py yourself (it’s included) before enabling; because it is executed locally, review ensures it matches your risk tolerance.
- Run in a restricted environment or sandbox if you want to limit where files can be written. If you don’t need push webhooks, use the polling (sync) workflow to minimize exposed surface.
If you want extra assurance, ask for a short summary of the script's network endpoints and file paths and a confirmation that it will not contact any hosts other than 17track/res.17track.net.Like a lobster shell, security has layers — review code before you run it.
latestvk9756jhnm7zbwdpvgtc0r22x5n7zcaek
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📦 Clawdis
Any binpython3, python
EnvTRACK17_TOKEN
Primary envTRACK17_TOKEN