ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ShipStatic

v0.7.20

Static hosting via ShipStatic. Use when the user wants to deploy a website, upload files, manage deployments, set up domains, or publish static files to ship...

0· 69·0 current·0 all-time
by@shipstatic-com
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description align with the requested binary ('ship'), the declared env var (SHIP_API_KEY), and the npm package @shipstatic/ship. Requiring the ship binary and an API key is appropriate for a CLI that deploys static sites.
Instruction Scope
SKILL.md runtime instructions are narrowly scoped to installing the CLI, authenticating (ship config or SHIP_API_KEY), and running deploy/domain/deployment commands. The instructions do not ask the agent to read unrelated system files or transmit data to unexpected endpoints.
Install Mechanism
Install is a standard npm package (@shipstatic/ship) which publishes a 'ship' binary. This is an expected, moderate-risk mechanism for a CLI SDK; no ad-hoc URL downloads or extract-from-URL steps were used.
!
Credentials
The skill only requires SHIP_API_KEY (proportionate for the service), but the package contents include an embedded API key literal (examples/node/index.js) that matches the described key format. Committed API keys in example files are unexpected and can indicate accidental leakage of a live credential; this is a serious proportionality and secret-management concern.
Persistence & Privilege
The skill does not request always:true and does not declare config paths or system-wide modifications. Agent autonomy remains at the default level. No elevated persistence or cross-skill configuration modifications were found.
What to consider before installing
This package appears to be a legitimate CLI/SDK for deploying static sites, and installing via npm is expected. However, the repository includes a hard-coded API key in examples/node/index.js (a value beginning with 'ship-...' matching the described key pattern). Before installing or using this skill: 1) Treat that embedded key as suspicious — do not assume it is a safe dummy. If you control accounts related to ShipStatic, search for and rotate any exposed keys. 2) Ask the publisher/maintainer whether the key is intentionally dummy data; prefer packages without real credentials committed. 3) If you plan to use this skill, set SHIP_API_KEY to your own scoped key (not any key found in examples) and verify the package source (check the GitHub homepage and npm publisher). 4) Run standard npm checks (npm audit), inspect package contents locally before executing, and avoid running example scripts that contain embedded credentials until you confirm they are safe. If you want, I can point out the exact file and line containing the embedded key and help you draft a message to the package maintainer asking them to revoke/replace it.
tests/mocks/cli.js:25
Shell command execution detected (child_process).
tests/node/cli/completion.test.ts:8
Shell command execution detected (child_process).
tests/node/cli/helpers.ts:66
Shell command execution detected (child_process).
!
scripts/post-build.cjs:15
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ezakvehc8wm679vj4cw1gex83d0jt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚀 Clawdis
Binsship
EnvSHIP_API_KEY
Primary envSHIP_API_KEY

Install

Node
Bins: ship
npm i -g @shipstatic/ship

Comments