← Back to Skills Marketplace
symbolstar

Shipcheck

by SymbolStar · GitHub ↗ · v0.1.0 · MIT-0
cross-platform ✓ Security Clean
66
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install shipcheck
Description
Pre-ship safety net. Scan an npm package, OpenClaw skill folder, or git repo BEFORE publishing to catch personal info leaks (absolute home paths, emails, int...
README (SKILL.md)

shipcheck — pre-publish PII & secret check

shipcheck is a best-effort pre-publish safety net. Run it before npm publish, clawhub publish, or pushing a repo public to catch the stuff you'll regret shipping: absolute /Users/\x3Cyou>/ paths, internal IPs, Tailscale hostnames, API keys, internal project codenames, and soft natural-language personal leaks in markdown.

It is NOT:

  • a replacement for manual review
  • a full secret scanner (gitleaks / trufflehog cover more)
  • a security audit

It is one more pair of eyes before you hit publish.

When to use this skill

Trigger this skill when the user is about to publish or push something public:

  • npm publish / npm publish --dry-run
  • clawhub publish ./my-skill ...
  • git push to a brand-new public repo
  • "check leaks", "is it safe to share?", "扫一下个人信息", "发布前体检"

Install

npm i -g @symbolstar/shipcheck
# or one-shot
npx -y @symbolstar/shipcheck

Run

npm package (default mode)

Scans only files that would actually be published — resolves package.json.files, .npmignore, .gitignore statically (does not invoke npm pack).

cd /path/to/npm-package
shipcheck

Skill folder / generic repo

shipcheck --scan-mode=dir ./path/to/skill-or-repo

Common flags

shipcheck --scan-mode=dir|npm     # default: npm
shipcheck --allow \x3Cid>            # acknowledge a finding by id
shipcheck --config ./shipcheck.config.json

What it catches

Category Examples Severity
secrets AWS keys, GitHub PAT (ghp_/gho_/ghu_/ghs_/ghr_), OpenAI sk-…, Anthropic sk-ant-…, Google AIza…, Slack xox[bp]-…, JWT, PEM/SSH private keys (~30 rules) critical
identity Emails, China mobile + E.164, /Users/\x3Cname>/ & /home/\x3Cname>/ absolute paths, SSH fingerprint high
infra RFC1918 IPs, Tailscale CGNAT 100.64/10, *.tail\x3Cid>.ts.net, *.lan/*.local, private git remotes high
business User-defined forbidden_terms from shipcheck.config.json (codenames, internal product names…) medium
softNL Chinese first-person personal context in *.md (我家 / 我老板 / 我同事 + 关系词) info
binaries *.png/.jpg/.mp4/.zip/.pdf > 50 KB inside the publish set warn

Recommended workflow

# 1. Run it
shipcheck                       # or: shipcheck --scan-mode=dir .

# 2. Triage findings
#    - real leak → fix the file
#    - false positive → add to shipcheck.config.json allow / forbidden_terms

# 3. Re-run until 0 critical / high
shipcheck

# 4. Publish
npm publish    # or: clawhub publish ./skill --slug ...

Exit codes

Code Meaning
0 No findings, or only allow-listed / info / warn
1 One or more critical / high / medium findings — do not ship

Use the exit code in CI or prepublishOnly:

{
  "scripts": {
    "prepublishOnly": "shipcheck && npm run build && npm test"
  }
}

Configuration (optional)

shipcheck.config.json in the project root:

{
  "forbidden_terms": ["AcmeInternalCodename", "ProjectStarfish"],
  "allow": [
    "rule:identity.absolute-home:fixtures/golden/01/setup.md#L12"
  ],
  "scanMode": "npm"
}

Links

  • npm: \x3Chttps://www.npmjs.com/package/@symbolstar/shipcheck>
  • source: \x3Chttps://github.com/SymbolStar/shipcheck> (public mirror — main dev on local repo)
  • author: SymbolStar
Usage Guidance
This looks safe to use for its intended purpose: checking a project before publishing. Before installing, remember that the actual scanner is an external npm package, and only scan folders you intend to publish or share because findings may include sensitive information.
Capability Analysis
Type: OpenClaw Skill Name: shipcheck Version: 0.1.0 The shipcheck skill is a pre-publish security utility designed to scan npm packages and repositories for sensitive information (PII, API keys, internal IPs) before publication. It functions as a wrapper for the `@symbolstar/shipcheck` CLI tool and provides clear instructions for the AI agent to trigger scans during sensitive operations like `npm publish` or `git push`. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found in the skill definition or instructions.
Capability Assessment
Purpose & Capability
The stated purpose is to scan npm packages, OpenClaw skill folders, or repos before publishing for PII and secrets, and the documented commands match that purpose.
Instruction Scope
The skill is intended to run when a user is about to publish or asks for a leak check; it does not instruct publishing, deletion, or account mutation, but users should choose the scan path carefully.
Install Mechanism
The runnable behavior comes from the external npm package @symbolstar/shipcheck, while the submitted artifact set contains only SKILL.md and no package source code.
Credentials
Reading package/repo files for secrets and PII is proportionate to the pre-publish safety purpose, with no artifact evidence of network upload or credential use.
Persistence & Privilege
No required credentials, environment variables, privileged paths, background services, or automatic persistence are declared. The prepublishOnly example is user-directed project configuration.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install shipcheck
  3. After installation, invoke the skill by name or use /shipcheck
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release: pre-publish PII & secret check skill wired to @symbolstar/shipcheck CLI
Metadata
Slug shipcheck
Version 0.1.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Shipcheck?

Pre-ship safety net. Scan an npm package, OpenClaw skill folder, or git repo BEFORE publishing to catch personal info leaks (absolute home paths, emails, int... It is an AI Agent Skill for Claude Code / OpenClaw, with 66 downloads so far.

How do I install Shipcheck?

Run "/install shipcheck" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Shipcheck free?

Yes, Shipcheck is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Shipcheck support?

Shipcheck is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Shipcheck?

It is built and maintained by SymbolStar (@symbolstar); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments