Express Logistics Track - 快递物流查询 Security Report — Low Risk | ClawSafe

10 /100

Express Logistics Track - 快递物流查询

查快递物流轨迹与签收状态，支持自动识别公司与顺丰等校验

Legitimate express tracking skill that makes API calls to Jisu Express service using a user-provided API key with no malicious behavior observed.

Skill NameExpress Logistics Track - 快递物流查询

Duration27.0s

Enginepi

✓

Safe to install

No blocking action required. Consider removing the 'API_KEY=' placeholder text from SKILL.md documentation to avoid confusion.

Findings 1 items

Severity	Finding	Location
Low	Documentation placeholder may confuse users SKILL.md line 21 shows 'API_KEY="your_appkey_here"' which appears similar to a hardcoded credential but is actually just a configuration example placeholder `export JISU_API_KEY="your_appkey_here"` → Use a different placeholder format like '<YOUR_API_KEY>' to avoid confusion with actual credential patterns	`SKILL.md:21`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	N/A - No filesystem access
Network	`READ`	`READ`	✓ Aligned	express.py:13-14 - Only makes GET requests to api.jisuapi.com
Shell	`NONE`	`NONE`	—	N/A - No shell execution
Environment	`READ`	`READ`	✓ Aligned	express.py:114 - Reads JISU_API_KEY from os.getenv()
Skill Invoke	`NONE`	`NONE`	—	N/A - No cross-skill invocation

1 High 6 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:21

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/express

SKILL.md:14

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/express/static/images/logo/80/yunda.png

SKILL.md:95

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/express/query

express.py:13

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/express/type

express.py:14

File Tree

2 files · 10.2 KB · 327 lines

Markdown 1f · 166L Python 1f · 161L

├─ 🐍 express.py Python 161L · 4.2 KB

└─ 📝 SKILL.md Markdown 166L · 6.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned - consider pinning to specific version

Security Positives

✓ Uses requests library with proper timeout (10s) configured

✓ No subprocess or shell execution

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No data exfiltration or credential theft

✓ JSON input is parsed safely using json.loads() without unsafe eval

✓ API key is read from environment variable, never hardcoded

✓ Network requests limited to legitimate Jisu Express API endpoints only

✓ No base64 encoding/decoding or obfuscated code execution

✓ Clean, straightforward implementation focused on stated purpose

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives