Oathe Security Badge

Is pfrederiksen/shipment-tracker safe?

https://github.com/pfrederiksen/shipment-tracker

91
SAFE

This is a legitimate package tracking skill that reads markdown files and queries carrier websites for shipping status. The code uses only standard library functions with no malicious behavior detected, and explicitly warns users about privacy implications of fallback browser-use features.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

MEDIUM Sensitive file access detected pre-installation -15

System monitoring detected access to sensitive files (.env, SSH keys, AWS credentials) at 07:05:38, but this occurred before the skill installation at 07:05:44. The accesses appear to be from system startup processes rather than the skill itself.

LOW Python script execution -10

The skill contains a Python script that performs package tracking functionality. The script uses only standard library imports and performs read-only operations on user-specified files and HTTP requests to carrier websites.

LOW Third-party data transmission via browser-use -15

The skill recommends using browser-use commands for tracking when HTTP parsing fails, which transmits package data to cloud services. However, this is explicitly documented with privacy warnings.