ClawHub

ShipStation Orders

v1.1.0

Monitor ShipStation orders, detect issues, and send alerts. For e-commerce businesses using ShipStation for order fulfillment across multiple platforms (Amaz...

0· 555·1 current·1 all-time
byChris Price@cprice70
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match what the files implement: polling ShipStation orders, detecting conditions (stuck, on-hold, expedited), and writing local state. The required env vars (SHIPSTATION_API_KEY, SHIPSTATION_API_SECRET) and node runtime are appropriate for this purpose.
Instruction Scope
SKILL.md and the scripts instruct the agent to read a local .env, call ShipStation's API, and write local state files (state.json, shipping-state.json). There are no instructions to read unrelated system files, exfiltrate data to third-party endpoints, or access other credentials.
Install Mechanism
No install spec is provided (instruction-only), but the package includes JS scripts. This is coherent: the skill expects node to be available and runs local scripts. Note: Node version compatibility (global fetch used) may require a recent Node (v18+) but that's an operational, not a security, issue.
Credentials
Only ShipStation API credentials are requested and used. The code loads .env from the skill directory and also checks process.env in one script; it does not request or access unrelated secrets or service credentials.
Persistence & Privilege
The skill writes/reads its own local state files to track processed orders. It does not request elevated or system-wide privileges, does not modify other skills/configs, and is not configured with always:true.
Assessment
This skill appears to do exactly what it says: poll ShipStation and flag order issues. Before installing: (1) Only provide ShipStation API key/secret — do not reuse high-privilege keys from other services. (2) Keep the .env file out of version control (SKILL.md advises adding it to .gitignore). (3) Expect local state files (state.json, shipping-state.json) to be created in the skill directory; they contain processed order IDs but not credentials. (4) Ensure your Node runtime is recent enough (Node 18+) because the scripts use global fetch. (5) If you plan to allow autonomous agent invocation, remember the agent may run these scripts on schedule; review scheduling/notification integration to avoid accidental disclosure. If any of the above is unacceptable, do not install or run the scripts until you make configuration changes (separate credentials, run in isolated environment, or review code).

Like a lobster shell, security has layers — review code before you run it.

latestvk9743yn7px8kzsh9cy5z08x4j981qhk8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvSHIPSTATION_API_KEY, SHIPSTATION_API_SECRET

Comments