HiFleet Claw
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is a scoped HiFleet vessel-position lookup; the main thing to review is that it needs a HiFleet user token even though the registry metadata does not declare one.
This appears safe for its stated purpose if you intend to use HiFleet vessel-position lookup. Before installing, confirm you trust the HiFleet endpoint, provide the token through a secret/config mechanism rather than pasting it into normal conversation, and be aware that the token is required despite not being listed in the registry requirements.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use your HiFleet account token to query vessel positions, so the token should be handled like a secret.
The skill requires a HiFleet authorization token to query the position API. This is purpose-aligned and scoped to the described endpoint, but it is a credential use that the registry metadata does not declare.
“使用前必须配置授权 token…环境变量:HIFLEET_USER_TOKEN 或 HIFLEET_USERTOKEN…请求时传入:…usertoken”
Use a dedicated or least-privilege HiFleet token if possible, store it in an environment/config secret rather than chat, and rotate it if it is exposed.