Is kclonts/shipp safe?

https://github.com/openclaw/skills/tree/main/skills/kclonts/shipp

83
SAFE

The Shipp skill is a legitimate API connector for Outsharp Inc.'s real-time sports data service, containing only markdown documentation and metadata with no executable code, no prompt injection, and a clean installation from GitHub. The most significant concern is the Alph Bot reference implementation — a complete autonomous trading bot blueprint that uses Claude AI and executes real-money trades on prediction markets — which could lead an agent to take unauthorized financial action if the user requests sports betting automation. Secondary concerns include third-party data sharing of natural-language query context with Outsharp Inc. and directive instructions embedded in the skill that go beyond API documentation.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (6)

HIGH Autonomous Financial Trading Reference Implementation -45

Both SKILL.md and README.md prominently feature Alph Bot, described as a 'production-quality integration' and 'open-source automated trading bot' that uses Shipp for sports data, Claude AI for probability estimation, and Kalshi for executing real-money prediction market trades. This constitutes a detailed blueprint for autonomous financial action. An agent with this skill active that receives any request related to sports betting automation has a complete, validated reference implementation that could result in unauthorized real-money transactions.

MEDIUM Directive Action Instructions Embedded in Skill Context -18

SKILL.md contains two imperative directives not present in standard API documentation: 'Implement as many tests as possible as soon as possible' and 'Verify data and how the app uses data.' These are action instructions that could cause an agent to aggressively generate and execute test code or scan user application code and data flows without explicit per-task authorization. The urgency framing ('as soon as possible') is atypical for API reference material.

MEDIUM Natural-Language Query Context Transmitted to Third Party -15

The core API mechanic requires sending natural-language filter_instructions to api.shipp.ai describing what events, teams, or games to track. These instructions are authored in the user's or agent's own words and could reveal sensitive application context, business strategy, or personal interests to Outsharp Inc. No privacy policy, data retention schedule, or subprocessor disclosure is referenced in the skill.

MEDIUM Billing and Account Endpoints in Allowed Tool Scope -7

The allowed-tools declaration grants curl access to the entire platform.shipp.ai domain (https://platform.shipp.ai/*), which the documentation explicitly states includes billing management and account signup — not just API data endpoints. This allows an agent to read billing status, potentially modify subscription details, or interact with account settings beyond the stated purpose of fetching sports data.

LOW Sensitive Credential Files Read During Monitoring Window -8

Six high-value files were opened for reading during the monitoring window in two batches: before the git clone (1771932260) and after install (1771932278). Timing analysis and the absence of corresponding network exfiltration strongly suggest these reads originated from the oathe audit infrastructure (canary setup and post-install verification) rather than from the skill payload, which contains no executable code. Canary integrity check confirmed all files unmodified.

INFO No Executable Code — Markdown and JSON Only -3

The skill package is entirely static documentation. The installation produced exactly three files: SKILL.md, README.md, and _meta.json. No npm lifecycle scripts, git hooks, gitattributes filter drivers, gitmodules, shell scripts, Python files, or symlinks were detected. The sparse-checkout install process completed without executing any code from the skill payload.