Track parcels and shipments via the 17TRACK API. Manage a local SQLite database of tracked packages with automatic status polling, webhook ingestion, and dai...
Security Analysis
medium confidenceThe skill's code, instructions, and required secrets align with a parcel-tracking tool that talks to 17TRACK and stores data locally, with only minor metadata inconsistencies to verify before install.
Name/description (17TRACK parcel tracking) match the included scripts and behavior: the code calls the 17TRACK API endpoints, stores data in a local SQLite DB, supports polling, webhooks, and daily reports. Required artifacts (TRACK17_TOKEN, optional webhook secret, data dir overrides) are appropriate for this purpose.
SKILL.md instructs the agent to initialize DB, add packages, sync, run webhooks or ingest payloads, and run the daily report. All runtime actions described (reading/writing local DB, calling 17TRACK endpoints, running a local webhook server) are consistent with the stated purpose and map to explicit script commands. The guidance to not echo secrets is present. The skill asks the agent to activate whenever a user mentions package tracking — broad but consistent with the skill's goal.
No install spec is present (instruction-only installation with included scripts). This is low-risk: nothing is downloaded at install time and bundled scripts are plain Python using only the stdlib.
The runtime requires a single API token (TRACK17_TOKEN) and optionally TRACK17_WEBHOOK_SECRET, TRACK17_DATA_DIR, TRACK17_WORKSPACE_DIR, and TRACK17_LANG — all proportionate. Note: the registry metadata shown at the top of the report earlier said "Required env vars: none," while SKILL.md and the scripts clearly require TRACK17_TOKEN; this metadata mismatch should be resolved before trusting automated installation/configuration.
Skill does not request always: true and does not modify other skills or system-wide settings. It stores data under a workspace/packages/track17 directory (configurable). The webhook server binds to user-specified addresses; by default the docs suggest 127.0.0.1 which keeps it local.
Guidance
This skill appears coherent for 17TRACK parcel tracking, but verify a few things before installing: (1) Confirm the official source — _meta.json points to a GitHub repo; the registry summary earlier said 'source unknown' — prefer installing from that GitHub repo or reviewing it yourself. (2) Provide TRACK17_TOKEN only (do not paste it into public files); the skill expects the token in ~/.clawdbot/clawdbot.json or as an env var. (3) If you enable webhooks, set TRACK17_WEBHOOK_SECRET and bind the server to 127.0.0.1 or a controlled IP; review firewall rules if exposing to the public internet. (4) Inspect the bundled scripts (they appear to use only stdlib and call only 17TRACK endpoints) and ensure the resolved data directory is acceptable — you can set TRACK17_DATA_DIR to an explicit path to avoid unexpected workspace discovery. (5) Resolve the registry metadata mismatch about required env vars before automated install; if uncertain, run the scripts locally in an isolated environment first.
Latest Release
v1.0.3
Security fix: removed hardcoded paths from daily-report.py (uses same path resolution as track17.py). Token read from TRACK17_TOKEN env var only. Removed WhatsApp/external channel references from SKILL.md.
Popular Skills
Published by @f-liva on ClawHub
