Shippo
v1.0.2Shippo integration. Manage Shipments, Batchs. Use when the user wants to interact with Shippo data.
⭐ 0· 97·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description claim a Shippo integration and the SKILL.md consistently instructs using Membrane to connect to Shippo, discover actions, run actions, and proxy Shippo API calls. There are no unrelated credential requests or surprising binaries required.
Instruction Scope
Instructions are limited to installing/using the Membrane CLI, logging in, creating a connector connection, listing/running actions, and proxying requests. The skill does not instruct reading arbitrary files, environment variables, or sending data to unexpected endpoints; it explicitly recommends letting Membrane manage credentials.
Install Mechanism
No install spec is embedded in the skill; it recommends installing the Membrane CLI via `npm install -g @membranehq/cli` or using npx. This is expected for a CLI-based workflow but installing global npm packages carries the usual supply-chain and privilege risks — verify the package and publisher before installing.
Credentials
The skill declares no required environment variables or credentials and instructs the user to use Membrane-managed connections (no local API keys). Requested access (network and a Membrane account) is proportionate to the described Shippo integration.
Persistence & Privilege
The skill does not set always:true and is user-invocable only. It instructs standard CLI login and connector creation via the user's browser-based OAuth flow; it does not request persistent system-level modifications or access to other skills' configs.
Assessment
This skill is instruction-only and uses the Membrane CLI to talk to Shippo; it does not request API keys or other system credentials. Before installing: (1) confirm you trust @membranehq/cli and the Membrane service (check the official homepage/repo and publisher identity); (2) be aware that `npm install -g` installs a global package — only install packages from publishers you trust; (3) the workflow requires a Membrane account and will open a browser for authentication, so ensure you’re comfortable granting that connector access; (4) review any connector permissions shown during the browser auth flow before approving. If you prefer not to install a global CLI, consider using npx or running commands in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
latestvk9713ak3fdjyp4hqp7am3d9s5h84336w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.