ShipStation Orders
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it claims—read ShipStation orders and alert on issues—but it needs ShipStation credentials and will expose order/customer details to the agent for monitoring.
This skill is reasonable for a ShipStation monitoring workflow. Before installing, make sure you trust the workspace where the `.env` credentials will live, understand that order/customer summaries may be visible to the agent and alert channels, and only enable heartbeat or cron monitoring if you want continuous checks.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running the skill with these credentials can read ShipStation order information available to that API credential.
The script authenticates to ShipStation using the user's API key and secret, which is expected for this integration but grants access to business order data.
const apiKey = env.SHIPSTATION_API_KEY;
const apiSecret = env.SHIPSTATION_API_SECRET; ... 'Authorization': `Basic ${auth}`Use the least-privileged ShipStation credentials available, keep the `.env` file private, and rotate the API key/secret if the workspace is shared or compromised.
If configured, the agent may keep checking ShipStation and sending alerts on a schedule rather than only when manually invoked.
The skill documents recurring autonomous monitoring through an agent heartbeat or cron job. This is disclosed and aligned with order monitoring, but it creates ongoing background activity if the user enables it.
Every 15 minutes: 1. Run: `node check-orders.js` 2. Parse results 3. If new orders or alerts → notify via sessions_send 4. If nothing → HEARTBEAT_OK Or use a cron job for scheduled checks.
Enable scheduled checks only if desired, confirm the alert destination, and choose a polling interval that matches ShipStation rate limits and business needs.
Customer names, order totals, marketplace source, and order identifiers may appear in agent logs, session messages, or local state files.
The script emits customer/order details into agent-visible output and persists local state for future checks. This is needed for alerts, but the data is sensitive business/customer information.
customer: order.shipTo?.name || 'Unknown', total: order.orderTotal, marketplace: order.advancedOptions?.source || 'Unknown' ... fs.writeFileSync(statePath, JSON.stringify(state, null, 2));
Treat outputs and state files as sensitive, avoid sending alerts to broad channels, and delete or protect state files if the workspace is shared.