中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:22 小时前 重新扫描
5 /100
shippo-official
Multi-carrier rate shopping, label generation, package tracking, address validation, customs declarations, and batch processing from CSV files
A legitimate, documentation-only shipping skill using the Shippo API via a documented MCP server. No scripts, code, or hidden functionality. All capabilities are declared in SKILL.md.
技能名称shippo-official
分析耗时33.3s
引擎pi
可以安装
Approve for use. The skill's functionality (address validation, rate shopping, label purchase, tracking, batch processing) is fully documented and operationally appropriate for a shipping integration.

安全发现 1 项

严重性 安全发现 位置
低危
Third-party MCP endpoint access 权限提升
The skill routes all API requests through an external MCP server at app.getgram.ai. This server is the documented Shippo MCP beta integration, but it introduces a third-party dependency for routing API calls. The SHIPPO_API_KEY is sent as a header to this endpoint.
MCP server: https://app.getgram.ai/mcp/shippo-mcp-beta
→ This is operationally necessary for the MCP architecture. The endpoint is clearly declared and appears to be the official Shippo MCP integration. No evidence of data exfiltration beyond Shippo API traffic.
 SKILL.md:22
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No file operations found; documentation-only
网络访问 READ READ ✓ 一致 SKILL.md:22 — MCP server https://app.getgram.ai/mcp/shippo-mcp-beta
命令执行 NONE NONE No shell scripts or subprocess calls found
环境变量 READ READ ✓ 一致 SKILL.md:metadata — requires SHIPPO_API_KEY only
技能调用 READ READ ✓ 一致 MCP tools defined in references/tool-reference.md
剪贴板 NONE NONE No clipboard access documented or present
浏览器 NONE NONE No browser automation documented or present
数据库 NONE NONE No database operations documented or present
2 项发现
🔗
中危 外部 URL 外部 URL
https://app.getgram.ai/mcp/shippo-mcp-beta
SKILL.md:22
📧
提示 邮箱 邮箱地址
[email protected]
references/csv-format.md:60

目录结构

5 文件 · 52.3 KB · 1239 行
Markdown 5f · 1239L
├─ 📁 references
│ ├─ 📝 carrier-guide.md Markdown 136L · 5.6 KB
│ ├─ 📝 csv-format.md Markdown 106L · 5.8 KB
│ ├─ 📝 customs-guide.md Markdown 227L · 9.1 KB
│ └─ 📝 tool-reference.md Markdown 404L · 15.0 KB
└─ 📝 SKILL.md Markdown 366L · 16.7 KB

安全亮点

✓ Documentation-only skill — no executable code, scripts, or binaries present
✓ All capabilities fully declared in SKILL.md and reference documents
✓ No obfuscation, base64, or anti-analysis patterns detected
✓ No credential harvesting beyond the declared SHIPPO_API_KEY
✓ No filesystem write, shell execution, or persistence mechanisms
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env inspection)
✓ No C2 communication, reverse shell, or data exfiltration patterns
✓ Comprehensive user confirmation gates before label purchases
✓ Clear test vs. live mode distinction with API key prefix checking
✓ No supply chain risk — no dependencies or package manager files