Shipping Calc
WarnAudited by ClawScan on May 10, 2026.
Overview
This mostly looks like a local shipping calculator, but a coding flaw can let specially crafted input run local commands.
Treat this as a Review item rather than a safe install. The skill is simple and mostly coherent, but its script should be fixed before use in any workflow that may pass package details from customers, emails, web pages, or other untrusted sources.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs this command with malicious or untrusted shipment fields, those fields could potentially cause commands to run on the user's machine.
User-controlled positional parameters are expanded directly into the awk source program instead of being passed safely as variables, so crafted input can alter the awk code; awk supports system command execution.
awk "BEGIN{base=5; per_kg=2.5; printf \"Shipping %skg %s->%s: \$%.2f\n\",$2,$3,$4,base+$2*per_kg}"Do not use this skill with untrusted input until patched. The maintainer should validate numeric and country inputs and pass values to awk with safe mechanisms such as awk -v variables rather than embedding shell arguments into awk code.