← 返回 Skills 市场
Shipcheck
作者
SymbolStar
· GitHub ↗
· v0.1.0
· MIT-0
66
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install shipcheck
功能描述
Pre-ship safety net. Scan an npm package, OpenClaw skill folder, or git repo BEFORE publishing to catch personal info leaks (absolute home paths, emails, int...
使用说明 (SKILL.md)
shipcheck — pre-publish PII & secret check
shipcheck is a best-effort pre-publish safety net. Run it before npm publish,
clawhub publish, or pushing a repo public to catch the stuff you'll regret shipping:
absolute /Users/\x3Cyou>/ paths, internal IPs, Tailscale hostnames, API keys, internal
project codenames, and soft natural-language personal leaks in markdown.
It is NOT:
- a replacement for manual review
- a full secret scanner (gitleaks / trufflehog cover more)
- a security audit
It is one more pair of eyes before you hit publish.
When to use this skill
Trigger this skill when the user is about to publish or push something public:
npm publish/npm publish --dry-runclawhub publish ./my-skill ...git pushto a brand-new public repo- "check leaks", "is it safe to share?", "扫一下个人信息", "发布前体检"
Install
npm i -g @symbolstar/shipcheck
# or one-shot
npx -y @symbolstar/shipcheck
Run
npm package (default mode)
Scans only files that would actually be published — resolves package.json.files,
.npmignore, .gitignore statically (does not invoke npm pack).
cd /path/to/npm-package
shipcheck
Skill folder / generic repo
shipcheck --scan-mode=dir ./path/to/skill-or-repo
Common flags
shipcheck --scan-mode=dir|npm # default: npm
shipcheck --allow \x3Cid> # acknowledge a finding by id
shipcheck --config ./shipcheck.config.json
What it catches
| Category | Examples | Severity |
|---|---|---|
secrets |
AWS keys, GitHub PAT (ghp_/gho_/ghu_/ghs_/ghr_), OpenAI sk-…, Anthropic sk-ant-…, Google AIza…, Slack xox[bp]-…, JWT, PEM/SSH private keys (~30 rules) |
critical |
identity |
Emails, China mobile + E.164, /Users/\x3Cname>/ & /home/\x3Cname>/ absolute paths, SSH fingerprint |
high |
infra |
RFC1918 IPs, Tailscale CGNAT 100.64/10, *.tail\x3Cid>.ts.net, *.lan/*.local, private git remotes |
high |
business |
User-defined forbidden_terms from shipcheck.config.json (codenames, internal product names…) |
medium |
softNL |
Chinese first-person personal context in *.md (我家 / 我老板 / 我同事 + 关系词) |
info |
binaries |
*.png/.jpg/.mp4/.zip/.pdf > 50 KB inside the publish set |
warn |
Recommended workflow
# 1. Run it
shipcheck # or: shipcheck --scan-mode=dir .
# 2. Triage findings
# - real leak → fix the file
# - false positive → add to shipcheck.config.json allow / forbidden_terms
# 3. Re-run until 0 critical / high
shipcheck
# 4. Publish
npm publish # or: clawhub publish ./skill --slug ...
Exit codes
| Code | Meaning |
|---|---|
0 |
No findings, or only allow-listed / info / warn |
1 |
One or more critical / high / medium findings — do not ship |
Use the exit code in CI or prepublishOnly:
{
"scripts": {
"prepublishOnly": "shipcheck && npm run build && npm test"
}
}
Configuration (optional)
shipcheck.config.json in the project root:
{
"forbidden_terms": ["AcmeInternalCodename", "ProjectStarfish"],
"allow": [
"rule:identity.absolute-home:fixtures/golden/01/setup.md#L12"
],
"scanMode": "npm"
}
Links
- npm: \x3Chttps://www.npmjs.com/package/@symbolstar/shipcheck>
- source: \x3Chttps://github.com/SymbolStar/shipcheck> (public mirror — main dev on local repo)
- author: SymbolStar
安全使用建议
This looks safe to use for its intended purpose: checking a project before publishing. Before installing, remember that the actual scanner is an external npm package, and only scan folders you intend to publish or share because findings may include sensitive information.
功能分析
Type: OpenClaw Skill
Name: shipcheck
Version: 0.1.0
The shipcheck skill is a pre-publish security utility designed to scan npm packages and repositories for sensitive information (PII, API keys, internal IPs) before publication. It functions as a wrapper for the `@symbolstar/shipcheck` CLI tool and provides clear instructions for the AI agent to trigger scans during sensitive operations like `npm publish` or `git push`. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found in the skill definition or instructions.
能力评估
Purpose & Capability
The stated purpose is to scan npm packages, OpenClaw skill folders, or repos before publishing for PII and secrets, and the documented commands match that purpose.
Instruction Scope
The skill is intended to run when a user is about to publish or asks for a leak check; it does not instruct publishing, deletion, or account mutation, but users should choose the scan path carefully.
Install Mechanism
The runnable behavior comes from the external npm package @symbolstar/shipcheck, while the submitted artifact set contains only SKILL.md and no package source code.
Credentials
Reading package/repo files for secrets and PII is proportionate to the pre-publish safety purpose, with no artifact evidence of network upload or credential use.
Persistence & Privilege
No required credentials, environment variables, privileged paths, background services, or automatic persistence are declared. The prepublishOnly example is user-directed project configuration.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install shipcheck - 安装完成后,直接呼叫该 Skill 的名称或使用
/shipcheck触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release: pre-publish PII & secret check skill wired to @symbolstar/shipcheck CLI
元数据
常见问题
Shipcheck 是什么?
Pre-ship safety net. Scan an npm package, OpenClaw skill folder, or git repo BEFORE publishing to catch personal info leaks (absolute home paths, emails, int... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 66 次。
如何安装 Shipcheck?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install shipcheck」即可一键安装,无需额外配置。
Shipcheck 是免费的吗?
是的,Shipcheck 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Shipcheck 支持哪些平台?
Shipcheck 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Shipcheck?
由 SymbolStar(@symbolstar)开发并维护,当前版本 v0.1.0。
推荐 Skills