ClawHub

ShipStatic

Security checks across malware telemetry and agentic risk

Overview

ShipStatic appears to be a real hosting tool, but it needs review because it includes under-disclosed credential, token, shell-profile, and live-resource mutation capabilities.

Install only if you trust ShipStatic with the files and account you deploy. Use a dedicated build output directory, review contents before upload, avoid committing or logging API keys and token creation output, prefer environment variables or a protected config file, use --no-spa-detect when index.html content is sensitive, and treat remove/token/domain commands as live account changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This code persistently modifies the user's local shell configuration by copying completion scripts into the home directory and editing startup files such as .bash_profile and .zshrc. While shell-completion installation is a common CLI feature, it is outside the stated static-hosting purpose of the skill, increasing supply-chain risk because the skill gains the ability to affect future shell sessions and establish persistence-like behavior.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest describes a static-hosting capability, but this code edits user shell configuration files and installs sourced scripts into the user's home directory. That mismatch is dangerous because users may grant trust based on the declared hosting purpose while the code performs unrelated persistent local-environment changes, which could be abused if the packaged completion script or install path is compromised.

Context-Inappropriate Capability

Medium
Confidence
75% confidence
Finding
The tested browser client appears to expose API token administration operations despite the skill being described only as static hosting and deployment. In a browser-context SDK, token creation/listing/removal is a sensitive administrative capability; if surfaced to agent workflows without clear scoping, it can enable credential proliferation, token discovery, or token revocation beyond user expectations.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The tests explicitly exercise a `tokens` command group with list/create/remove operations, which expands the skill's apparent capabilities beyond the declared static-hosting and domain-management scope. In an agent setting, undocumented credential-management features increase risk because they may let a user or prompt trigger creation or deletion of account tokens with broader account access than expected.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Creating and removing API tokens is a sensitive account-security function, and these tests show the skill supports that behavior despite the stated purpose being static site deployment and domain/file operations. If exposed through an agent, token creation can establish persistent access and token removal can disrupt access control, making this materially more dangerous than ordinary deployment actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation presents commands that can reserve domains, repoint live traffic, remove deployments, and remove domains without clearly warning that these actions modify production hosting state. In an agent setting, missing warnings increase the chance of accidental destructive execution or unintended changes to publicly reachable infrastructure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README shows `ship.deployments.upload(...)` as a simple example but does not explicitly warn that the provided files are transmitted to ShipStatic, a remote third-party service. In documentation for deployment tooling, this omission can cause users to upload sensitive local files or test data under the mistaken impression that the operation is local or otherwise low-risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Quick Start section presents initialization and upload code as a minimal copy-paste flow, but it omits any disclosure that `input` is sent off-host to a remote hosting provider. Because this is the primary onboarding path, users may deploy broad directory paths or browser-selected files without understanding the data transfer and exposure implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example code hardcodes deploy tokens and API keys directly in source, which normalizes unsafe credential handling and creates a realistic risk that developers will copy the pattern into production code or accidentally commit real secrets. In a deployment skill, these credentials grant publish capability, so exposed values could enable unauthorized deployments, content replacement, or account misuse.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
A hard-coded API key in example code exposes a credential that can be reused by anyone who reads the repository, logs, or package contents. If the key is valid, an attacker could deploy content, access account resources, consume service quotas, or modify hosted assets under the associated ShipStatic account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README tells users to select files or folders to deploy but does not clearly warn that the chosen contents will be uploaded to a remote third-party hosting service. In a deployment skill, this omission can cause users to transmit unintended sensitive files such as environment files, private assets, or internal documents, especially when folder upload is encouraged via directory selection.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI prompts for an API key using standard readline input, which echoes typed characters to the terminal. This can expose the secret to shoulder-surfing, terminal recordings, screen shares, shell session logs, or captured CI/remote terminal sessions. In this skill context, the risk is meaningful because the value is a deployment API credential for a hosting service, so disclosure could enable unauthorized uploads or site management.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The token formatter prints the entire token creation response, which can include the newly issued secret token value. In a CLI context, this may leak credentials into terminal scrollback, shell history capture, logs, CI output, or session recordings, enabling unauthorized API access if an attacker later obtains that output.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal