Ship24 Order Tracking

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Ship24 tracking skill whose API key use, tracker creation, and webhook features match its stated shipment-tracking purpose.

Before installing, confirm you trust the publisher and the Ship24 MCP URL. Use a revocable or least-privileged Ship24 API key if available, avoid putting sensitive customer or order identifiers in tracker references unless needed, and verify any webhook destination you use because replaying or subscribing to webhooks can send shipment event data to that endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill advertises webhook creation, subscription toggling, and webhook replay functionality without warning users that shipment metadata and tracking events may be transmitted to external webhook endpoints. This can lead to unintended disclosure of customer/order identifiers, shipping activity, and other operational data if users enable or resend webhooks without understanding the data flow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal