← Back to Skills Marketplace
Joy Logistics
by
joy-logistics
· GitHub ↗
· v1.0.3
· MIT-0
137
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install joy-logistics
Description
京东国际物流数据查询技能 核心能力:支持物流轨迹追踪、国际运营指标查询、跨境小包体验指标查询三大功能模块。 1.国际物流轨迹追踪技能 功能描述:查询国际物流单号的实时物流轨迹信息。 支持的单号类型: - FS 开头的京东订单号 - JDW 开头的京东运单号 - 客户运单号 - 承运商运单号 核心能力: - 实时查...
README (SKILL.md)
joy-logistics — 国际物流 Skills 全集
Complete collection of multi Logistics skills for OpenClaw agents.
Included Skills
| Skill | Category | Description |
|---|---|---|
| joy-logistics-trace | logistics-trace-query | 国际物流轨迹明细查询 |
| joy-logistics-indicator | indicators-query | 国际供应链、跨境小包相关指标查询 |
Documentation
See README.md for the complete setup guide (in Chinese).
Usage Guidance
This skill appears to implement JD logistics tracking and indicator queries, but there are several red flags you should address before installing or using it:
- The code requires an environment variable named 'token' (used as an API auth header), but the skill metadata does not declare any required credentials. Do not set or export any sensitive token unless you know exactly which service issued it and trust the skill owner.
- One tracking script posts to lop-proxy.ochama.com rather than an obvious jd.com API; confirm with the author/maintainer why this host is used and whether it is an authorized proxy. If you cannot verify the endpoint, do not provide real credentials.
- All HTTPS requests set rejectUnauthorized: false (TLS certificate validation disabled). This allows connections to servers with invalid/forged certificates and makes man-in-the-middle attacks easier. Request that this be removed (set to true or omitted) before using with real secrets.
- The skill assumes Node.js is available and instructs running local node scripts, but the registry metadata does not list node as a required binary. Ensure your environment is isolated (e.g., run in a sandbox) when testing.
Recommended next steps before trusting this skill:
1. Ask the publisher to update registry metadata to declare the required 'token' env var and to explain the exact authority/scope of that token (which API it authenticates to).
2. Ask why lop-proxy.ochama.com is used and for proof that it is an approved proxy for JD services; replace it with official endpoints if possible.
3. Require the removal of rejectUnauthorized: false so TLS is validated.
4. Test in a safe environment with a non-production token and monitor network traffic to verify where requests go.
If the author cannot satisfactorily explain the hostname and TLS settings, treat this skill as untrusted and avoid supplying real credentials.
Capability Analysis
Type: OpenClaw Skill
Name: joy-logistics
Version: 1.0.3
The skill bundle contains multiple Node.js scripts (get_cross_board_data.js, get_isc_data.js, and get_tracking_data.js) that explicitly disable SSL certificate validation by setting 'rejectUnauthorized: false', which is a significant security vulnerability allowing for man-in-the-middle (MITM) attacks. Additionally, the README.md provides instructions for users to hardcode a sensitive 'token' into their environment variables. While the scripts' logic appears consistent with the stated purpose of querying JD logistics data, the intentional bypass of standard security protocols and the handling of credentials make the bundle high-risk.
Capability Assessment
Purpose & Capability
The skill claims no required environment variables or binaries, but all three included scripts expect a 'token' environment variable and the SKILL README shows steps to export a token. The SKILL.md and scripts assume Node.js is available (they run 'node ...') but required binaries do not list node. Requesting a token is coherent with calling JD APIs, but omitting that requirement from metadata is an inconsistency and reduces transparency. Additionally, one tracking script posts to lop-proxy.ochama.com (not a jd.com host), which does not obviously match the stated JD integration.
Instruction Scope
Runtime instructions direct the agent to run local Node scripts that build JSON payloads and POST them to external HTTP endpoints while including the 'token' header. Scripts follow tight parameter rules and do not ask to read unrelated local files (commented code to read ~/.env is inactive), but they do set rejectUnauthorized: false on HTTPS requests—this disables TLS certificate validation and broadens attack surface by allowing connections to servers with invalid/forged certs. The execution of network calls with an undeclared secret is out-of-band relative to declared metadata.
Install Mechanism
There is no install spec (instruction-only at registry level), which reduces supply-chain risk from arbitrary downloads. However code files are packaged with the skill and will be executed by running 'node' commands; the package does not declare Node as a required binary. No external archives or installers are fetched.
Credentials
The code requires a 'token' environment variable (and README even shows how to set one), but the skill metadata lists no required env vars and no primary credential—this is a clear mismatch. Supplying 'token' gives the skill access to whatever the external endpoints honor; combined with the unexpected hostname (lop-proxy.ochama.com) and disabled TLS validation, the secret could be sent to an untrusted party. The sample token in README may encourage users to store/ reuse tokens without understanding scope.
Persistence & Privilege
The skill does not request persistent/always-on installation (always:false), does not modify other skills or system-wide settings, and does not declare any config paths to access other skills' credentials. It requires local execution but does not attempt to gain elevated platform privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install joy-logistics - After installation, invoke the skill by name or use
/joy-logistics - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
- Improved query scripts for cross-border and ISC indicator data.
- Enhanced tracking data retrieval functionality.
- General code maintenance and updates across core modules.
v1.0.2
- Added modular skill structure with sub-skills `joy-logistics-trace` and `joy-logistics-indicator`
- Separated documentation and code for trace and indicator queries into their own directories
- Provided overview of included skills and their categories
- Updated indicator list to differentiate between supply chain and small parcel fulfillment rates
- Added a reference to README.md for full setup information
v1.0.1
Version 1.0.1
- fix typo in headers for cross-border package query.
v1.0.0
joy-logistics 1.0.0
- Initial release with support for JD International Logistics data queries.
- Features include: international shipment tracking, supply chain operations metrics, and cross-border parcel experience metrics queries.
- Supports batch tracking for various waybill types: FS, JDW, customer numbers, and carrier numbers.
- Provides multi-dimensional analysis of supply chain and parcel fulfillment indicators.
Metadata
Frequently Asked Questions
What is Joy Logistics?
京东国际物流数据查询技能 核心能力:支持物流轨迹追踪、国际运营指标查询、跨境小包体验指标查询三大功能模块。 1.国际物流轨迹追踪技能 功能描述:查询国际物流单号的实时物流轨迹信息。 支持的单号类型: - FS 开头的京东订单号 - JDW 开头的京东运单号 - 客户运单号 - 承运商运单号 核心能力: - 实时查... It is an AI Agent Skill for Claude Code / OpenClaw, with 137 downloads so far.
How do I install Joy Logistics?
Run "/install joy-logistics" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Joy Logistics free?
Yes, Joy Logistics is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Joy Logistics support?
Joy Logistics is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Joy Logistics?
It is built and maintained by joy-logistics (@joy-logistics); the current version is v1.0.3.
More Skills