← 返回 Skills 市场
Joy Logistics
作者
joy-logistics
· GitHub ↗
· v1.0.3
· MIT-0
137
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install joy-logistics
功能描述
京东国际物流数据查询技能 核心能力:支持物流轨迹追踪、国际运营指标查询、跨境小包体验指标查询三大功能模块。 1.国际物流轨迹追踪技能 功能描述:查询国际物流单号的实时物流轨迹信息。 支持的单号类型: - FS 开头的京东订单号 - JDW 开头的京东运单号 - 客户运单号 - 承运商运单号 核心能力: - 实时查...
使用说明 (SKILL.md)
joy-logistics — 国际物流 Skills 全集
Complete collection of multi Logistics skills for OpenClaw agents.
Included Skills
| Skill | Category | Description |
|---|---|---|
| joy-logistics-trace | logistics-trace-query | 国际物流轨迹明细查询 |
| joy-logistics-indicator | indicators-query | 国际供应链、跨境小包相关指标查询 |
Documentation
See README.md for the complete setup guide (in Chinese).
安全使用建议
This skill appears to implement JD logistics tracking and indicator queries, but there are several red flags you should address before installing or using it:
- The code requires an environment variable named 'token' (used as an API auth header), but the skill metadata does not declare any required credentials. Do not set or export any sensitive token unless you know exactly which service issued it and trust the skill owner.
- One tracking script posts to lop-proxy.ochama.com rather than an obvious jd.com API; confirm with the author/maintainer why this host is used and whether it is an authorized proxy. If you cannot verify the endpoint, do not provide real credentials.
- All HTTPS requests set rejectUnauthorized: false (TLS certificate validation disabled). This allows connections to servers with invalid/forged certificates and makes man-in-the-middle attacks easier. Request that this be removed (set to true or omitted) before using with real secrets.
- The skill assumes Node.js is available and instructs running local node scripts, but the registry metadata does not list node as a required binary. Ensure your environment is isolated (e.g., run in a sandbox) when testing.
Recommended next steps before trusting this skill:
1. Ask the publisher to update registry metadata to declare the required 'token' env var and to explain the exact authority/scope of that token (which API it authenticates to).
2. Ask why lop-proxy.ochama.com is used and for proof that it is an approved proxy for JD services; replace it with official endpoints if possible.
3. Require the removal of rejectUnauthorized: false so TLS is validated.
4. Test in a safe environment with a non-production token and monitor network traffic to verify where requests go.
If the author cannot satisfactorily explain the hostname and TLS settings, treat this skill as untrusted and avoid supplying real credentials.
功能分析
Type: OpenClaw Skill
Name: joy-logistics
Version: 1.0.3
The skill bundle contains multiple Node.js scripts (get_cross_board_data.js, get_isc_data.js, and get_tracking_data.js) that explicitly disable SSL certificate validation by setting 'rejectUnauthorized: false', which is a significant security vulnerability allowing for man-in-the-middle (MITM) attacks. Additionally, the README.md provides instructions for users to hardcode a sensitive 'token' into their environment variables. While the scripts' logic appears consistent with the stated purpose of querying JD logistics data, the intentional bypass of standard security protocols and the handling of credentials make the bundle high-risk.
能力评估
Purpose & Capability
The skill claims no required environment variables or binaries, but all three included scripts expect a 'token' environment variable and the SKILL README shows steps to export a token. The SKILL.md and scripts assume Node.js is available (they run 'node ...') but required binaries do not list node. Requesting a token is coherent with calling JD APIs, but omitting that requirement from metadata is an inconsistency and reduces transparency. Additionally, one tracking script posts to lop-proxy.ochama.com (not a jd.com host), which does not obviously match the stated JD integration.
Instruction Scope
Runtime instructions direct the agent to run local Node scripts that build JSON payloads and POST them to external HTTP endpoints while including the 'token' header. Scripts follow tight parameter rules and do not ask to read unrelated local files (commented code to read ~/.env is inactive), but they do set rejectUnauthorized: false on HTTPS requests—this disables TLS certificate validation and broadens attack surface by allowing connections to servers with invalid/forged certs. The execution of network calls with an undeclared secret is out-of-band relative to declared metadata.
Install Mechanism
There is no install spec (instruction-only at registry level), which reduces supply-chain risk from arbitrary downloads. However code files are packaged with the skill and will be executed by running 'node' commands; the package does not declare Node as a required binary. No external archives or installers are fetched.
Credentials
The code requires a 'token' environment variable (and README even shows how to set one), but the skill metadata lists no required env vars and no primary credential—this is a clear mismatch. Supplying 'token' gives the skill access to whatever the external endpoints honor; combined with the unexpected hostname (lop-proxy.ochama.com) and disabled TLS validation, the secret could be sent to an untrusted party. The sample token in README may encourage users to store/ reuse tokens without understanding scope.
Persistence & Privilege
The skill does not request persistent/always-on installation (always:false), does not modify other skills or system-wide settings, and does not declare any config paths to access other skills' credentials. It requires local execution but does not attempt to gain elevated platform privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install joy-logistics - 安装完成后,直接呼叫该 Skill 的名称或使用
/joy-logistics触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
- Improved query scripts for cross-border and ISC indicator data.
- Enhanced tracking data retrieval functionality.
- General code maintenance and updates across core modules.
v1.0.2
- Added modular skill structure with sub-skills `joy-logistics-trace` and `joy-logistics-indicator`
- Separated documentation and code for trace and indicator queries into their own directories
- Provided overview of included skills and their categories
- Updated indicator list to differentiate between supply chain and small parcel fulfillment rates
- Added a reference to README.md for full setup information
v1.0.1
Version 1.0.1
- fix typo in headers for cross-border package query.
v1.0.0
joy-logistics 1.0.0
- Initial release with support for JD International Logistics data queries.
- Features include: international shipment tracking, supply chain operations metrics, and cross-border parcel experience metrics queries.
- Supports batch tracking for various waybill types: FS, JDW, customer numbers, and carrier numbers.
- Provides multi-dimensional analysis of supply chain and parcel fulfillment indicators.
元数据
常见问题
Joy Logistics 是什么?
京东国际物流数据查询技能 核心能力:支持物流轨迹追踪、国际运营指标查询、跨境小包体验指标查询三大功能模块。 1.国际物流轨迹追踪技能 功能描述:查询国际物流单号的实时物流轨迹信息。 支持的单号类型: - FS 开头的京东订单号 - JDW 开头的京东运单号 - 客户运单号 - 承运商运单号 核心能力: - 实时查... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 137 次。
如何安装 Joy Logistics?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install joy-logistics」即可一键安装,无需额外配置。
Joy Logistics 是免费的吗?
是的,Joy Logistics 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Joy Logistics 支持哪些平台?
Joy Logistics 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Joy Logistics?
由 joy-logistics(@joy-logistics)开发并维护,当前版本 v1.0.3。
推荐 Skills