ClawHub
Back to skill
v1.0.8

Atoship

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:49 AM.

Analysis

Atoship appears purpose-aligned, but it needs an API key that can buy shipping labels and spend wallet funds, and it sends shipment details to Atoship/carriers.

GuidanceInstall only if you trust Atoship with shipping and customer address data. Start with a test key or small wallet balance, keep the API key private, and carefully review every price, service, and address before confirming wallet-affecting actions.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
Always show the user the carrier, service, price, and full addresses, then ask for explicit confirmation ... before calling the purchase API.

The skill can call a purchase API that creates paid shipping labels, but the artifact also includes a clear explicit-confirmation safeguard.

User impactA mistaken or poorly reviewed confirmation could buy a real label and deduct funds from the postage wallet.
RecommendationBefore confirming, verify the carrier, service, price, sender and recipient addresses, and package details.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Your API key authorizes label purchases and wallet charges.

The required credential has spend authority on the user's Atoship account, which is expected for shipping labels but important to handle carefully.

User impactAnyone or any agent flow with access to the key may be able to use wallet funds for label purchases.
RecommendationUse a test key or small wallet balance while evaluating, keep the key private, enable spending alerts, and rotate or revoke the key if needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
Your AI assistant calls the atoship API directly using your API key ... Sender: Name, Street, City, State, ZIP ... Recipient: Name, Street, City, State, ZIP

The workflow sends names, addresses, package details, and related shipment data to an external shipping API as part of its purpose.

User impactPersonal or customer shipping information will be shared with Atoship and potentially carrier services.
RecommendationOnly provide shipment data needed for the task and review the provider's privacy and data-handling practices before use.