← Back to Skills Marketplace

17track package tracking

Name: 17track package tracking
Author: tristanmanchester

by Tristan Manchester · GitHub ↗ · v0.1.0

cross-platform ✓ Security Clean

2152

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install track17

Description

Track parcels via the 17TRACK API (local SQLite DB, polling + optional webhook ingestion)

Usage Guidance

This skill is coherent with its purpose, but review and small precautions before enabling are recommended: - Confirm TRACK17_TOKEN is a token you intend to give to this skill and use a token with minimal scope if possible. - Be aware the script writes a SQLite DB and raw webhook payloads under <workspace>/packages/track17/ (or TRACK17_DATA_DIR if set). If you prefer a specific location, set TRACK17_DATA_DIR or TRACK17_WORKSPACE_DIR before first use. - If you enable webhooks: prefer to run the webhook-server bound to localhost behind a reverse proxy or use a tunnelling service (as the README suggests). Do not run the webhook-server publicly without configuring TRACK17_WEBHOOK_SECRET and verifying signatures. - Inspect scripts/track17.py yourself (it’s included) before enabling; because it is executed locally, review ensures it matches your risk tolerance. - Run in a restricted environment or sandbox if you want to limit where files can be written. If you don’t need push webhooks, use the polling (sync) workflow to minimize exposed surface. If you want extra assurance, ask for a short summary of the script's network endpoints and file paths and a confirmation that it will not contact any hosts other than 17track/res.17track.net.

Capability Analysis

Type: OpenClaw Skill Name: track17 Version: 0.1.0 The OpenClaw AgentSkills skill bundle for 'track17' is benign. The `SKILL.md` provides clear instructions for the agent, including an explicit directive to 'Never echo `TRACK17_TOKEN` or `TRACK17_WEBHOOK_SECRET`', which is a strong positive security indicator against prompt injection for credential exfiltration. The `scripts/track17.py` script uses only the Python standard library, accesses only legitimate 17TRACK API endpoints, and confines all local data storage (SQLite DB, webhook inbox, cache) to the expected skill data directory within the workspace. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or suspicious supply chain practices.

Capability Assessment

✓ Purpose & Capability

Name/description, required env vars, and included code align: the tool talks to 17TRACK APIs, stores data in a workspace-local SQLite DB, and optionally ingests webhooks. No unrelated credentials, binaries, or installs are requested.

ℹ Instruction Scope

SKILL.md and the CLI instruct the agent to initialise a local DB, register tracking numbers, poll (sync) and optionally run or ingest webhooks. The skill auto-detects a workspace by walking the script's parent directories (or using TRACK17_WORKSPACE_DIR/CLAWDBOT_WORKSPACE_DIR) and will read/write under <workspace>/packages/track17/. This file I/O and optional webhook-server behavior is within the stated scope but worth noting: running the server or processing inbox files gives the skill permission to accept and store external payloads and to write into the workspace directory.

✓ Install Mechanism

There is no install spec and the included Python script uses only the standard library (no external downloads or package installs). That minimizes install-time risk; the code is included with the skill rather than fetched from an arbitrary URL.

✓ Credentials

Only TRACK17_TOKEN is required (primaryEnv). Optional envs (TRACK17_WEBHOOK_SECRET, TRACK17_DATA_DIR, TRACK17_WORKSPACE_DIR, TRACK17_LANG) are plausible and relevant. No unrelated secrets or large sets of credentials are requested.

✓ Persistence & Privilege

The skill is not marked always:true, does not request to modify other skills, and writes only to its own workspace-local data dir by default. It can be invoked autonomously (platform default), which is expected for skills, but that is not combined with elevated platform privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install track17
After installation, invoke the skill by name or use /track17
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.0

Initial release of track17: parcel tracking via 17TRACK API with local database. - Track packages and their status via the 17TRACK API. - Stores all package data locally in a SQLite database within the workspace. - Supports both periodic polling (sync) and optional webhook ingestion for updates. - CLI for adding, listing, syncing, and managing parcels. - Optional webhook server and ingestion utilities included. - API credentials required via environment variables; flexible data directory configuration.

Metadata

Slug track17

Version 0.1.0

License —

All-time Installs 7

Active Installs 7

Total Versions 1

Frequently Asked Questions

What is 17track package tracking?

Track parcels via the 17TRACK API (local SQLite DB, polling + optional webhook ingestion). It is an AI Agent Skill for Claude Code / OpenClaw, with 2152 downloads so far.

How do I install 17track package tracking?

Run "/install track17" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 17track package tracking free?

Yes, 17track package tracking is completely free (open-source). You can download, install and use it at no cost.

Which platforms does 17track package tracking support?

17track package tracking is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 17track package tracking?

It is built and maintained by Tristan Manchester (@tristanmanchester); the current version is v0.1.0.

More Skills