ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shipping Calc

v3.0.0

Calculate shipping costs with zone-based rates and duty estimates. Use when estimating shipping costs.

0· 371·1 current·1 all-time
bybytesagain4@xueyetianya
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the provided script and SKILL.md: the script implements rate, compare, estimate, duty, track, and batch commands and stores data under ~/.local/share/shipping-calc. Nothing in the files asks for unrelated cloud credentials, system-level access, or unrelated services.
Instruction Scope
SKILL.md instructs the agent to run the included scripts/script.sh commands only and documents the local data directory. The script does not read arbitrary system files or call external endpoints. Minor implementation issues: some commands (track, batch) use single-quoted echo strings so variables won't expand (likely a bug), and the script interpolates positional parameters directly into an awk program rather than using awk -v, which is a safer practice if untrusted input is expected.
Install Mechanism
This is an instruction-only skill with one bundled shell script and no install spec. Nothing is downloaded or installed at runtime beyond creating a local data directory in the user's HOME.
Credentials
No environment variables, credentials, or config paths are required. The script only uses $HOME to create a per-user data directory, which is reasonable for local data storage.
Persistence & Privilege
always:false and no writes to global agent configuration. The skill only creates a per-user data directory and does not modify other skills or system-wide settings.
Assessment
This skill appears to do what it says: local shipping/duty calculations with a small bash script and no network or credential access. You can install/use it with low risk, but consider: (1) the script has minor bugs (track/batch echo lines won't expand variables), and (2) for safety with untrusted input the script should pass shell variables into awk with -v instead of interpolating them into the awk program. If you plan to run it on sensitive systems or feed untrusted inputs, review/patch the script first. Otherwise it's lightweight and coherent with its description.

Like a lobster shell, security has layers — review code before you run it.

latestvk97314p2ryhx587pazfsgc3k0s836e6sproductivityvk97c7zw89wzbzj0eyn7k6dj7n582rvfn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments