← Back to Skills Marketplace
海外物流Skill合集
by
jdl-external-skills
· GitHub ↗
· v1.0.1
· MIT-0
82
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install i-logisitics-skill
Description
京东国际物流数据查询技能 核心能力:支持物流轨迹追踪、国际运营指标查询、跨境小包体验指标查询三大功能模块。 1.国际物流轨迹追踪技能 功能描述:查询国际物流单号的实时物流轨迹信息。 支持的单号类型: - FS 开头的京东订单号 - JDW 开头的京东运单号 - 客户运单号 - 承运商运单号 核心能力: - 实时查...
README (SKILL.md)
joy-logistics-skill — 国际物流 Skills 全集
Complete collection of multi Logistics skills for OpenClaw agents.
Included Skills
| Skill | Category | Description |
|---|---|---|
| joy-logistics-trace | logistics-trace-query | 国际物流轨迹明细查询 |
| joy-logistics-indicator | indicators-query | 国际供应链、跨境小包相关指标查询 |
Documentation
See README.md for the complete setup guide (in Chinese).
Usage Guidance
This skill largely does what it says (logistics tracking and indicators), but there are several red flags you should address before installing or providing any secret:
- Do not set or expose any real API token until you confirm the exact env var name the skill expects. The code expects process.env.token or joy_token, but README suggests api_key in ~/.env — these must be reconciled.
- The tracking script sends requests to lop-proxy.ochama.com rather than a jd.com domain. Ask the author why a third‑party proxy is used and request documentation proving it's an approved JD proxy. If you cannot verify, do not provide tokens.
- The HTTPS requests set rejectUnauthorized: false, which disables TLS certificate verification. This weakens security and can enable man‑in‑the‑middle interception of tokens/responses. Request that the author remove this and use verified TLS.
- If you must test, do so in an isolated environment with a throwaway token (no production credentials) and monitor outbound connections. Prefer to run the scripts in a network-restricted environment so they cannot reach unknown hosts until verified.
- Ask the publisher to update the registry metadata to declare required env vars (exact names) and to justify any non-jd endpoints. If the author can prove the proxy is authorized and fix TLS settings and the env var mismatch, the concerns would be resolved and confidence would increase.
If you want, I can draft specific questions to send to the author or produce a safe test plan to validate endpoints and env var usage.
Capability Analysis
Type: OpenClaw Skill
Name: i-logisitics-skill
Version: 1.0.1
The skill bundle is designed to query JD logistics and supply chain data but contains a recurring security vulnerability: `rejectUnauthorized: false` is explicitly set in the HTTPS request options within `get_cross_board_data.js`, `get_isc_data.js`, and `get_tracking_data.js`. This disables SSL certificate validation, making the API requests and the sensitive 'token' (passed in headers) vulnerable to Man-in-the-Middle (MitM) attacks. While the code logic appears aligned with its stated purpose, the use of insecure network configurations and the reliance on the AI agent to correctly sanitize inputs for shell command execution (as instructed in `SKILL.md`) warrants a suspicious classification.
Capability Tags
Capability Assessment
Purpose & Capability
The skill's name and documented features match the code (tracking + indicators). However the tracking script posts to lop-proxy.ochama.com (not a jd.com domain) while setting a JD-related header; that proxy is unexpected for a JD logistics skill. Also registry metadata declares no required env vars/credentials but the scripts require a token/joy_token environment variable — a clear mismatch.
Instruction Scope
Runtime instructions are concrete (call node scripts with positional args) and mostly scoped to querying APIs. Problems: SKILL.md/README and scripts disagree about where/what env var to store credentials (README shows api_key in ~/.env, scripts use process.env.token or joy_token). The README suggests writing secrets to ~/.env; SKILL metadata declares no secrets. Instructions also require very strict command formats (positional args, '.' placeholders) which is fine functionally but increases risk if users accidentally expose tokens in shells/logs. No explicit exfiltration code exists, but the unexpected proxy hostname and TLS verification being disabled in the HTTPS calls broaden the scope of risk.
Install Mechanism
No install specification (instruction-only + included scripts). No external archives or installers are fetched during install. The code is present in the bundle, so install risk is low. However the runtime code makes outbound HTTPS requests and sets rejectUnauthorized: false — a runtime choice that weakens TLS security.
Credentials
Scripts expect a token (process.env.token or joy_token) and the README instructs writing an api_key to ~/.env under a different name. The skill package metadata does not declare any required env vars or primary credential. Requesting and using a token is proportionate to calling JD APIs, but the undeclared/misaligned env var names, plus sending that token to an unexpected third‑party host (lop-proxy.ochama.com) and disabling certificate validation, is disproportionate and suspicious.
Persistence & Privilege
always:false and user-invocable:true (defaults). The skill does not request any special persistent platform privileges and does not modify other skills. No persistence/auto-enable indicators present.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install i-logisitics-skill - After installation, invoke the skill by name or use
/i-logisitics-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Skill name updated from joy-logistics-indicator to i-logistics-skill.
- No file changes detected; only SKILL.md metadata updated.
- Core functionality and description remain unchanged.
v1.0.0
joy-logistics-indicator v1.0.0
- Initial release of 京东国际物流数据查询技能 (JD International Logistics Data Query Skill)
- Supports real-time international logistics tracking for multiple tracking number types (京东订单号, 运单号, carrier numbers)
- Provides comprehensive supply chain and cross-border parcel indicator queries across 30+ metrics
- Combines three core modules: logistics trace tracking, international operation indicators, and cross-border parcel experience indicators
Metadata
Frequently Asked Questions
What is 海外物流Skill合集?
京东国际物流数据查询技能 核心能力:支持物流轨迹追踪、国际运营指标查询、跨境小包体验指标查询三大功能模块。 1.国际物流轨迹追踪技能 功能描述:查询国际物流单号的实时物流轨迹信息。 支持的单号类型: - FS 开头的京东订单号 - JDW 开头的京东运单号 - 客户运单号 - 承运商运单号 核心能力: - 实时查... It is an AI Agent Skill for Claude Code / OpenClaw, with 82 downloads so far.
How do I install 海外物流Skill合集?
Run "/install i-logisitics-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 海外物流Skill合集 free?
Yes, 海外物流Skill合集 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 海外物流Skill合集 support?
海外物流Skill合集 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 海外物流Skill合集?
It is built and maintained by jdl-external-skills (@jdl-external-skills); the current version is v1.0.1.
More Skills