Back to skill

Security audit

Shipp enables a faster way to create connections to real-time data. It's cost-effective, fast to run, and easy to start.

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Shipp API integration, but it needs Review because the documentation includes a realistic-looking API key example and normalizes less-safe API-key handling.

Install only if you are comfortable giving an agent access to Shipp API calls. Use your own Shipp API key, do not reuse the example value, prefer Authorization or X-API-Key headers over URL query parameters, and avoid sending unnecessary sensitive data in filter instructions or request payloads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README shows a concrete value in the `SHIPP_API_KEY` example that matches the format of a real credential, without clearly labeling it as fake or rotated. Readers may mistakenly reuse it, and if it was ever valid, automated scraping or copy-paste leakage could expose access to the Shipp API.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to authenticate to a third-party API using multiple API key delivery methods, but it does not warn that prompts, query parameters, headers, and other request data will be sent to an external service outside the local agent environment. This creates a real risk of inadvertent credential exposure, sensitive data transmission, and poor operator awareness, especially because query-parameter authentication can leak via logs, browser history, or proxy telemetry.

Ssd 3

Medium
Confidence
97% confidence
Finding
This appears to publish a live-looking API key directly in documentation. Even in a README, exposing a plausible secret is dangerous because public repositories are routinely scanned for credentials, and the surrounding skill context encourages users to authenticate to a real external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal