Back to skill
Skillv1.0.0
ClawScan security
Ship24 Order Tracking · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 3:42 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions match its stated purpose (using the Ship24 tracking API) and request only the Ship24 API key; nothing in the SKILL.md appears disproportionate or unrelated.
- Guidance
- This skill appears coherent and limited to Ship24 API usage. Before installing: 1) Only provide a Ship24 API key that you obtain from your Ship24 account (prefer a scoped or limited key if available). 2) Confirm the MCP URL (https://api.ship24.com/mcp) matches official Ship24 docs and that you trust the source before adding it to .mcp.json (that file controls where the agent will send requests). 3) Protect the SHIP24_API_KEY like any secret (store it in a secure environment, rotate/revoke if compromised). 4) Be aware webhook-related actions (resend_webhooks) can replay notifications — use carefully. If you need stronger assurance, ask the publisher for provenance or a repository link before providing credentials.
Review Dimensions
- Purpose & Capability
- okName/description, declared requirement (SHIP24_API_KEY), and the SKILL.md all describe using the Ship24 HTTP API and registering an MCP server; the requested credential and configuration are appropriate for this purpose.
- Instruction Scope
- okSKILL.md is focused on API usage: it instructs adding an MCP server entry to .mcp.json and setting SHIP24_API_KEY, and enumerates API operations. It does not ask the agent to read unrelated files, inspect other env vars, or exfiltrate data to unexpected endpoints.
- Install Mechanism
- okNo install spec or code is present (instruction-only skill), so nothing will be written to disk or downloaded during install.
- Credentials
- okOnly a single API key (SHIP24_API_KEY) is required, which is proportionate for a third-party tracking API. No unrelated credentials or broad secrets are requested.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. The only configuration change the SKILL.md suggests is adding an MCP server entry (to route API calls); this is expected and scoped to the skill's API endpoint.