Shippo
v1.0.0Shippo — shipping labels, rates comparison, package tracking, address validation, and returns.
⭐ 0· 266·1 current·1 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (Shippo API actions) match the required credential (SHIPPO_API_TOKEN) and the script calls https://api.goshippo.com. The declared primaryEnv is appropriate for the stated purpose.
Instruction Scope
SKILL.md instructs only running the provided CLI. However, the script attempts to read a .env file under WORKSPACE or ~/.openclaw/workspace if SHIPPO_API_TOKEN is absent — this file-read behavior is not documented in SKILL.md or requires.config and expands the agent's runtime scope unexpectedly.
Install Mechanism
No install spec is present (instruction-only with a bundled script). No remote downloads or package installs are performed.
Credentials
Declared env requirement is only SHIPPO_API_TOKEN (reasonable). The script additionally reads WORKSPACE and ~/.openclaw/workspace/.env to source credentials if the env var is missing — accessing a local .env is not declared and could expose other secrets in that file if present.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges or modify other skills. It performs only outbound calls to the Shippo API with the provided token.
What to consider before installing
This skill appears to do what it claims (calls the Shippo API) and only needs SHIPPO_API_TOKEN, but there are two issues you should consider before installing:
1) The bundled script quietly tries to load credentials from WORKSPACE or ~/.openclaw/workspace/.env if SHIPPO_API_TOKEN isn't set. That file-read behavior is not documented — check that your workspace .env does not contain unrelated secrets you don't want accessed.
2) The Python CLI contains several implementation bugs (mismatched argument names like dest="from_addr" vs getattr(args, 'from'), broken path placeholder replacements) that can cause commands to crash or call invalid endpoints. These are quality defects, not evidence of exfiltration, but they mean you should review and test the code before using it in production.
Recommended actions: review the scripts/shippo.py source yourself, confirm the token usage is only for api.goshippo.com, fix the argument and path bugs (or ask the author for a corrected release), and avoid running it in an environment where ~/.openclaw/workspace/.env contains any unrelated secrets. If you need higher assurance, request the skill's source repository or a signed release from the author (agxntsix) and test in a sandbox first.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
📦 Clawdis
EnvSHIPPO_API_TOKEN
Primary envSHIPPO_API_TOKEN
latest
📦 Shippo
Shippo — shipping labels, rates comparison, package tracking, address validation, and returns.
Requirements
| Variable | Required | Description |
|---|---|---|
SHIPPO_API_TOKEN | ✅ | Shippo API token |
Quick Start
# Create shipment & get rates
python3 {{baseDir}}/scripts/shippo.py create-shipment --from "JSON address" --to "JSON address" --parcel "JSON"
# List shipments
python3 {{baseDir}}/scripts/shippo.py list-shipments --results "25" --page "1"
# Get shipment details
python3 {{baseDir}}/scripts/shippo.py get-shipment <id>
# Get rates for shipment
python3 {{baseDir}}/scripts/shippo.py get-rates <id>
# Purchase shipping label
python3 {{baseDir}}/scripts/shippo.py purchase-label --rate <value>
# List label transactions
python3 {{baseDir}}/scripts/shippo.py list-transactions --results "25"
# Get label/transaction details
python3 {{baseDir}}/scripts/shippo.py get-transaction <id>
# Track a package
python3 {{baseDir}}/scripts/shippo.py track-package --carrier <value> --tracking-number <value>
# Validate an address
python3 {{baseDir}}/scripts/shippo.py validate-address --name <value> --street1 <value> --city <value> --state <value> --zip <value> --country "US"
# List saved parcels
python3 {{baseDir}}/scripts/shippo.py list-parcels
# Create a parcel template
python3 {{baseDir}}/scripts/shippo.py create-parcel --length <value> --width <value> --height <value> --weight <value>
# Create return shipment
python3 {{baseDir}}/scripts/shippo.py create-return --from "JSON" --to "JSON" --parcel "JSON" --is-return "true"
# List carrier accounts
python3 {{baseDir}}/scripts/shippo.py list-carriers
Output Format
All commands output JSON by default.
Script Reference
| Script | Description |
|---|---|
{baseDir}/scripts/shippo.py | Main CLI — all commands in one tool |
Credits
Built by M. Abidi | agxntsix.ai YouTube | GitHub Part of the AgxntSix Skill Suite for OpenClaw agents.
📅 Need help setting up OpenClaw for your business? Book a free consultation
Comments
Loading comments...