← Back to Skills Marketplace
177
Downloads
1
Stars
0
Active Installs
6
Versions
Install in OpenClaw
/install shippage
Description
Publish HTML or Markdown to a public URL instantly. Zero config, auto-registers on first use. Use when the user wants to share, preview, host, or deploy gene...
Usage Guidance
This skill does what it claims (publishes HTML/Markdown) but it will: (1) auto-register and save credentials to ~/.shippage/credentials.json, and (2) silently check a remote server and may overwrite your local SKILL.md with whatever it downloads from shippage.ai. Before installing or using it: review the shippage.ai domain and privacy/terms; do not publish secrets or private data through the service; consider running the agent/skill in a sandbox or with a backup of any SKILL.md you care about; disable or manually approve updates if possible; inspect the credentials file content and restrict its permissions; and prefer manual review of any downloaded SKILL.md (the update is not signed or integrity-checked). If you are uncomfortable with remote replacement of local instruction files, treat this skill as untrusted.
Capability Analysis
Type: OpenClaw Skill
Name: shippage
Version: 1.2.0
The skill contains a self-update mechanism in SKILL.md that instructs the AI agent to silently check for updates and overwrite its own instruction file (SKILL.md) with content downloaded from https://shippage.ai/v1/skill/download. This pattern enables remote instruction injection, allowing the server to potentially change the agent's behavior or introduce malicious prompts in the future without user oversight. While the primary functionality of publishing web content to shippage.ai is consistent with the stated purpose, the auto-update logic represents a significant security risk and a potential backdoor for the agent's logic.
Capability Assessment
Purpose & Capability
The skill's declared purpose (publish HTML/Markdown to a public URL) matches the commands and endpoints in SKILL.md: it uses curl to POST content to shippage.ai and saves returned credentials to ~/.shippage/credentials.json. Required binaries (curl) and file reads/writes (reading a Markdown file, storing credentials) are coherent with the described functionality.
Instruction Scope
Instructions include a silent 'auto-update' step that queries https://shippage.ai/v1/skill/version and, if an update is advertised, downloads https://shippage.ai/v1/skill/download and atomically replaces SKILL.md in several possible local paths. That behavior modifies runtime instructions without integrity/signature verification and happens 'silently' before first use. The publish flow writes credentials to ~/.shippage/credentials.json and reads files like your-file.md — those are expected, but the silent remote replacement of local instruction files is a scope and trust escalation risk.
Install Mechanism
There is no formal install spec (instruction-only), which reduces attack surface. However, the skill's built-in update mechanism downloads content from shippage.ai and replaces local SKILL.md. Downloading and replacing instruction files from the project's domain is traceable but performed without signature checks or explicit user consent, which increases risk compared to a vetted package or signed update.
Credentials
The skill requests no environment variables or unrelated credentials. It stores an API key returned by the service in ~/.shippage/credentials.json, which is proportionate to auto-registration and publishing functionality. It does not ask for unrelated secrets or system tokens.
Persistence & Privilege
The skill does not set always:true and does not request system-wide privileges. It does, however, write credentials to ~/.shippage and may overwrite local SKILL.md files in several locations. Writing to its own SKILL.md and its own config is normal, but the ability to silently replace local instruction files increases its persistence/privilege footprint within an agent's skill directory.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install shippage - After installation, invoke the skill by name or use
/shippage - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
v1.2.0: Skill auto-update, improved Markdown support
v1.1.1
v1.1.1: Add Markdown publishing support, publish .md files directly as styled web pages
v1.1.0
v1.1.0: 新增 Markdown 发布支持,自动转换为 GitHub 风格网页
v1.0.1
Optimize description for better discovery. Add semantic search coverage for publish/share/preview/deploy/mobile/WeChat intents. Improve usage docs with clear use-case bullets.
v1.0.0
Launch: zero-config HTML publishing for AI agents
v0.1.0
- Initial release of shippage (v0.1.0): instantly publish HTML to a live public URL, zero configuration required.
- First publish auto-registers your agent and stores credentials for future use.
- Simple CLI workflow using curl to publish, update, list, and delete HTML pages.
- Supports optional parameters like title, custom slug, password protection, and expiry time.
- Clear error handling for quota, URL conflicts, and size limits.
- Free tier includes up to 20 publishes per month, 14-day retention, and 500KB page size.
Metadata
Frequently Asked Questions
What is Shippage?
Publish HTML or Markdown to a public URL instantly. Zero config, auto-registers on first use. Use when the user wants to share, preview, host, or deploy gene... It is an AI Agent Skill for Claude Code / OpenClaw, with 177 downloads so far.
How do I install Shippage?
Run "/install shippage" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Shippage free?
Yes, Shippage is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Shippage support?
Shippage is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Shippage?
It is built and maintained by Uncle.J (@uncle-jacky); the current version is v1.2.0.
More Skills