Ship Position
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a read-only HiFleet ship lookup, but its strait-traffic helper can send the optional HiFleet token over plain HTTP.
Only configure a HiFleet token if you need authenticated features, use a dedicated rotatable token, and avoid token-backed strait-traffic queries until the skill uses HTTPS or omits the token unless strictly required.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your HiFleet API token could be visible to network observers or intermediary logs and could potentially be used to access HiFleet under your account.
When a HiFleet token is configured, this helper appends it to a plain-HTTP query string for strait traffic; the main flow passes the token whenever it exists, not only when a long date range requires authentication.
STRAIT_TRAFFIC_URL = "http://api.hifleet.com/position/statisticzonetraffic" ... if usertoken: params["usertoken"] = usertoken ... data = get_strait_traffic(oid, start_str, end_str, i18n, token)
Use an HTTPS endpoint if HiFleet supports it, avoid sending the token for recent 7-day strait queries where it is not needed, and use a dedicated token that can be rotated.