Shippo
PassAudited by ClawScan on May 13, 2026.
Overview
The skill is a coherent Shippo shipping integration, but it uses a Shippo API key that can buy real labels, so live purchases should be confirmed carefully.
Install only if you intend to let the agent manage Shippo shipping tasks. Start with a `shippo_test_*` key, confirm addresses/rates before purchasing labels, be especially careful with batch purchases, and choose the self-hosted MCP option if you do not want your API key and shipping data routed through the hosted Gram gateway.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a live Shippo key, the agent can purchase labels and potentially incur real charges, especially in batch workflows.
The tool catalog includes actions that can buy individual or batch shipping labels. This is central to a shipping skill, but it is financially impactful.
`purchase_shipping_label` ... Purchase a shipping label from an existing rate ... `purchase_batch_labels` Purchase labels for all valid shipments in a batch.
Use test keys while experimenting, review rates and addresses, and require explicit confirmation before any live label or batch-label purchase.
Anyone or any configured agent with access to the live key may be able to create shipments, view shipping account data, and buy labels through Shippo.
The skill requires a Shippo API key, and live-mode keys can perform account actions that result in real charges.
Required env vars: SHIPPO_API_KEY ... `shippo_live_*`: Real charges. Inform the user which mode they are in.
Prefer a `shippo_test_*` key for setup and testing, protect the API key, rotate it if exposed, and only use a live key when you are ready for billable shipping.
Shipping addresses, package details, and the Shippo API key may pass through the hosted MCP gateway as part of normal operation.
The default setup routes MCP traffic, including the Shippo API key header and shipping workflow data, through an external hosted gateway.
MCP server (default): Shippo-hosted via Gram ... The MCP client connects over HTTPS with your Shippo API key passed as a custom header
Use the documented self-hosted `@shippo/shippo-mcp` option if you do not want to route Shippo requests through the Gram gateway.
A changed or compromised npm package could affect the local MCP bridge and potentially see the API key passed through it.
The fallback setup fetches and runs an unpinned npm package version. This is a disclosed, user-directed setup path, but the package code is not included in the supplied artifacts.
"command": "npx", "args": ["-y", "mcp-remote@latest", "https://app.getgram.ai/mcp/shippo-key-auth", ...]
Pin npm package versions where possible, install from trusted sources, and avoid pasting live API keys into untrusted local configurations.