← 返回 Skills 市场
jdl-external-skills

海外物流Skill合集

作者 jdl-external-skills · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
82
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install i-logisitics-skill
功能描述
京东国际物流数据查询技能 核心能力:支持物流轨迹追踪、国际运营指标查询、跨境小包体验指标查询三大功能模块。 1.国际物流轨迹追踪技能 功能描述:查询国际物流单号的实时物流轨迹信息。 支持的单号类型: - FS 开头的京东订单号 - JDW 开头的京东运单号 - 客户运单号 - 承运商运单号 核心能力: - 实时查...
使用说明 (SKILL.md)

joy-logistics-skill — 国际物流 Skills 全集

Complete collection of multi Logistics skills for OpenClaw agents.

Included Skills

Skill Category Description
joy-logistics-trace logistics-trace-query 国际物流轨迹明细查询
joy-logistics-indicator indicators-query 国际供应链、跨境小包相关指标查询

Documentation

See README.md for the complete setup guide (in Chinese).

安全使用建议
This skill largely does what it says (logistics tracking and indicators), but there are several red flags you should address before installing or providing any secret: - Do not set or expose any real API token until you confirm the exact env var name the skill expects. The code expects process.env.token or joy_token, but README suggests api_key in ~/.env — these must be reconciled. - The tracking script sends requests to lop-proxy.ochama.com rather than a jd.com domain. Ask the author why a third‑party proxy is used and request documentation proving it's an approved JD proxy. If you cannot verify, do not provide tokens. - The HTTPS requests set rejectUnauthorized: false, which disables TLS certificate verification. This weakens security and can enable man‑in‑the‑middle interception of tokens/responses. Request that the author remove this and use verified TLS. - If you must test, do so in an isolated environment with a throwaway token (no production credentials) and monitor outbound connections. Prefer to run the scripts in a network-restricted environment so they cannot reach unknown hosts until verified. - Ask the publisher to update the registry metadata to declare required env vars (exact names) and to justify any non-jd endpoints. If the author can prove the proxy is authorized and fix TLS settings and the env var mismatch, the concerns would be resolved and confidence would increase. If you want, I can draft specific questions to send to the author or produce a safe test plan to validate endpoints and env var usage.
功能分析
Type: OpenClaw Skill Name: i-logisitics-skill Version: 1.0.1 The skill bundle is designed to query JD logistics and supply chain data but contains a recurring security vulnerability: `rejectUnauthorized: false` is explicitly set in the HTTPS request options within `get_cross_board_data.js`, `get_isc_data.js`, and `get_tracking_data.js`. This disables SSL certificate validation, making the API requests and the sensitive 'token' (passed in headers) vulnerable to Man-in-the-Middle (MitM) attacks. While the code logic appears aligned with its stated purpose, the use of insecure network configurations and the reliance on the AI agent to correctly sanitize inputs for shell command execution (as instructed in `SKILL.md`) warrants a suspicious classification.
能力标签
requires-sensitive-credentials
能力评估
Purpose & Capability
The skill's name and documented features match the code (tracking + indicators). However the tracking script posts to lop-proxy.ochama.com (not a jd.com domain) while setting a JD-related header; that proxy is unexpected for a JD logistics skill. Also registry metadata declares no required env vars/credentials but the scripts require a token/joy_token environment variable — a clear mismatch.
Instruction Scope
Runtime instructions are concrete (call node scripts with positional args) and mostly scoped to querying APIs. Problems: SKILL.md/README and scripts disagree about where/what env var to store credentials (README shows api_key in ~/.env, scripts use process.env.token or joy_token). The README suggests writing secrets to ~/.env; SKILL metadata declares no secrets. Instructions also require very strict command formats (positional args, '.' placeholders) which is fine functionally but increases risk if users accidentally expose tokens in shells/logs. No explicit exfiltration code exists, but the unexpected proxy hostname and TLS verification being disabled in the HTTPS calls broaden the scope of risk.
Install Mechanism
No install specification (instruction-only + included scripts). No external archives or installers are fetched during install. The code is present in the bundle, so install risk is low. However the runtime code makes outbound HTTPS requests and sets rejectUnauthorized: false — a runtime choice that weakens TLS security.
Credentials
Scripts expect a token (process.env.token or joy_token) and the README instructs writing an api_key to ~/.env under a different name. The skill package metadata does not declare any required env vars or primary credential. Requesting and using a token is proportionate to calling JD APIs, but the undeclared/misaligned env var names, plus sending that token to an unexpected third‑party host (lop-proxy.ochama.com) and disabling certificate validation, is disproportionate and suspicious.
Persistence & Privilege
always:false and user-invocable:true (defaults). The skill does not request any special persistent platform privileges and does not modify other skills. No persistence/auto-enable indicators present.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install i-logisitics-skill
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /i-logisitics-skill 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Skill name updated from joy-logistics-indicator to i-logistics-skill. - No file changes detected; only SKILL.md metadata updated. - Core functionality and description remain unchanged.
v1.0.0
joy-logistics-indicator v1.0.0 - Initial release of 京东国际物流数据查询技能 (JD International Logistics Data Query Skill) - Supports real-time international logistics tracking for multiple tracking number types (京东订单号, 运单号, carrier numbers) - Provides comprehensive supply chain and cross-border parcel indicator queries across 30+ metrics - Combines three core modules: logistics trace tracking, international operation indicators, and cross-border parcel experience indicators
元数据
Slug i-logisitics-skill
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

海外物流Skill合集 是什么?

京东国际物流数据查询技能 核心能力:支持物流轨迹追踪、国际运营指标查询、跨境小包体验指标查询三大功能模块。 1.国际物流轨迹追踪技能 功能描述:查询国际物流单号的实时物流轨迹信息。 支持的单号类型: - FS 开头的京东订单号 - JDW 开头的京东运单号 - 客户运单号 - 承运商运单号 核心能力: - 实时查... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 82 次。

如何安装 海外物流Skill合集?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install i-logisitics-skill」即可一键安装,无需额外配置。

海外物流Skill合集 是免费的吗?

是的,海外物流Skill合集 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

海外物流Skill合集 支持哪些平台?

海外物流Skill合集 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 海外物流Skill合集?

由 jdl-external-skills(@jdl-external-skills)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论