Ship Position
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: hifleet-skills Version: 0.1.7 The skill bundle is a legitimate integration for the HiFleet maritime data API, providing tools to query ship positions, archives, and traffic statistics. The Python scripts (e.g., get_position.py, get_archive.py) use only standard libraries, contain no dynamic code execution (eval/exec), and strictly communicate with documented hifleet.com endpoints. While one script uses an unencrypted HTTP endpoint for traffic statistics, there is no evidence of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your HiFleet API token could be visible to network observers or intermediary logs and could potentially be used to access HiFleet under your account.
When a HiFleet token is configured, this helper appends it to a plain-HTTP query string for strait traffic; the main flow passes the token whenever it exists, not only when a long date range requires authentication.
STRAIT_TRAFFIC_URL = "http://api.hifleet.com/position/statisticzonetraffic" ... if usertoken: params["usertoken"] = usertoken ... data = get_strait_traffic(oid, start_str, end_str, i18n, token)
Use an HTTPS endpoint if HiFleet supports it, avoid sending the token for recent 7-day strait queries where it is not needed, and use a dedicated token that can be rotated.