← Back to Skills Marketplace
158
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install zto
Description
Use ZTO Express (中通快递) for shipment tracking, shipping guidance, service-type comparison, outlet lookup, and delivery-time or fee estimation. Use when the us...
Usage Guidance
What to consider before installing:
- The skill appears to be a local ZTO helper that stores history, subscriptions, and optional encrypted files under ~/.openclaw/data/zto/. That behavior is declared in SKILL.md and implemented in code.
- The SecureStorage implementation stores a Fernet key at ~/.openclaw/data/zto/secure/.key with file mode 600. While the data are encrypted, the key is stored locally; if an attacker can read your home directory they could decrypt the files. Avoid storing highly sensitive secrets (bank details, full identity documents) in the skill's storage.
- The code imports aiohttp (networking). The visible query() simulates results, but the zto.py file was truncated in the listing — review the full file for any network calls or outbound endpoints before trusting it, especially any code that might transmit stored data to remote servers.
- Dependencies are normal Python packages. Install into a virtualenv/sandbox if you want to reduce risk.
- Use the provided privacy commands (privacy info / privacy clear / privacy export) to audit and remove data if you decide to try the skill.
- If you do not trust the skill author or cannot inspect the entire zto.py file, treat it as untrusted code and run in an isolated environment.
If you want, I can scan the remainder of zto.py (provide the full file) and specifically look for network endpoints, telemetry/callback code, or references to external hosts.
Capability Analysis
Type: OpenClaw Skill
Name: zto
Version: 1.0.0
The 'zto' skill is a legitimate tool for ZTO Express shipment tracking and logistics estimation. It uses local SQLite storage and a dedicated encryption module (security.py) to manage user history and subscriptions within the ~/.openclaw/ directory, all of which is clearly disclosed in SKILL.md. The code logic in zto.py is transparent, lacks any evidence of data exfiltration or unauthorized execution, and includes built-in privacy controls for users to inspect or clear their local data.
Capability Assessment
Purpose & Capability
Name/description (ZTO tracking, estimates, outlet lookup) aligns with the included code: local DB for history/subscriptions, price/time estimates, and formatting. The required dependencies (aiohttp, cryptography, etc.) are plausible for a CLI that could fetch remote data, encrypt local secrets, and render QR/images.
Instruction Scope
SKILL.md clearly documents local persistence paths and privacy controls. The runtime code writes an SQLite DB and may use SecureStorage for encrypted files. However the Python code imports aiohttp (network library) but the visible query() implementation simulates results rather than calling external ZTO endpoints; this leaves open the possibility the rest of zto.py (truncated in the listing) initiates network traffic to endpoints not declared in SKILL.md. SKILL.md does not declare any external endpoints — if the code later contacts remote APIs, that should be disclosed.
Install Mechanism
No installation script/remote download is included — this is an instruction-only/packaged-code skill. Dependencies are standard Python packages listed in requirements.txt. No suspicious URL downloads or archive extraction are present.
Credentials
The skill does not request environment variables, system paths, or external credentials. Its use of local storage under the user's home directory is proportionate to its functionality.
Persistence & Privilege
The skill persists data under ~/.openclaw/data/zto, including an encrypted storage area and a locally-stored Fernet key file (~/.openclaw/data/zto/secure/.key). This is expected for local encrypted storage, but storing the encryption key on disk next to the encrypted files reduces protection if an attacker already has local file access. always:false and no system-wide config changes are requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zto - After installation, invoke the skill by name or use
/zto - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
No changes detected in this version.
- Version 1.0.0 has no file modifications or updates from the previous release.
v1.0.1
English-first documentation update
Metadata
Frequently Asked Questions
What is Zto?
Use ZTO Express (中通快递) for shipment tracking, shipping guidance, service-type comparison, outlet lookup, and delivery-time or fee estimation. Use when the us... It is an AI Agent Skill for Claude Code / OpenClaw, with 158 downloads so far.
How do I install Zto?
Run "/install zto" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Zto free?
Yes, Zto is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Zto support?
Zto is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Zto?
It is built and maintained by haidong (@harrylabsj); the current version is v1.0.0.
More Skills