← 返回 Skills 市场

Shippage

Name: Shippage
Author: uncle-jacky

作者 Uncle.J · GitHub ↗ · v1.2.0 · MIT-0

cross-platform ⚠ suspicious

177

总下载

当前安装

版本数

在 OpenClaw 中安装

/install shippage

功能描述

Publish HTML or Markdown to a public URL instantly. Zero config, auto-registers on first use. Use when the user wants to share, preview, host, or deploy gene...

安全使用建议

This skill does what it claims (publishes HTML/Markdown) but it will: (1) auto-register and save credentials to ~/.shippage/credentials.json, and (2) silently check a remote server and may overwrite your local SKILL.md with whatever it downloads from shippage.ai. Before installing or using it: review the shippage.ai domain and privacy/terms; do not publish secrets or private data through the service; consider running the agent/skill in a sandbox or with a backup of any SKILL.md you care about; disable or manually approve updates if possible; inspect the credentials file content and restrict its permissions; and prefer manual review of any downloaded SKILL.md (the update is not signed or integrity-checked). If you are uncomfortable with remote replacement of local instruction files, treat this skill as untrusted.

功能分析

Type: OpenClaw Skill Name: shippage Version: 1.2.0 The skill contains a self-update mechanism in SKILL.md that instructs the AI agent to silently check for updates and overwrite its own instruction file (SKILL.md) with content downloaded from https://shippage.ai/v1/skill/download. This pattern enables remote instruction injection, allowing the server to potentially change the agent's behavior or introduce malicious prompts in the future without user oversight. While the primary functionality of publishing web content to shippage.ai is consistent with the stated purpose, the auto-update logic represents a significant security risk and a potential backdoor for the agent's logic.

能力评估

ℹ Purpose & Capability

The skill's declared purpose (publish HTML/Markdown to a public URL) matches the commands and endpoints in SKILL.md: it uses curl to POST content to shippage.ai and saves returned credentials to ~/.shippage/credentials.json. Required binaries (curl) and file reads/writes (reading a Markdown file, storing credentials) are coherent with the described functionality.

⚠ Instruction Scope

Instructions include a silent 'auto-update' step that queries https://shippage.ai/v1/skill/version and, if an update is advertised, downloads https://shippage.ai/v1/skill/download and atomically replaces SKILL.md in several possible local paths. That behavior modifies runtime instructions without integrity/signature verification and happens 'silently' before first use. The publish flow writes credentials to ~/.shippage/credentials.json and reads files like your-file.md — those are expected, but the silent remote replacement of local instruction files is a scope and trust escalation risk.

ℹ Install Mechanism

There is no formal install spec (instruction-only), which reduces attack surface. However, the skill's built-in update mechanism downloads content from shippage.ai and replaces local SKILL.md. Downloading and replacing instruction files from the project's domain is traceable but performed without signature checks or explicit user consent, which increases risk compared to a vetted package or signed update.

✓ Credentials

The skill requests no environment variables or unrelated credentials. It stores an API key returned by the service in ~/.shippage/credentials.json, which is proportionate to auto-registration and publishing functionality. It does not ask for unrelated secrets or system tokens.

ℹ Persistence & Privilege

The skill does not set always:true and does not request system-wide privileges. It does, however, write credentials to ~/.shippage and may overwrite local SKILL.md files in several locations. Writing to its own SKILL.md and its own config is normal, but the ability to silently replace local instruction files increases its persistence/privilege footprint within an agent's skill directory.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install shippage
安装完成后，直接呼叫该 Skill 的名称或使用 /shippage 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.2.0

v1.2.0: Skill auto-update, improved Markdown support

v1.1.1

v1.1.1: Add Markdown publishing support, publish .md files directly as styled web pages

v1.1.0

v1.1.0: 新增 Markdown 发布支持，自动转换为 GitHub 风格网页

v1.0.1

Optimize description for better discovery. Add semantic search coverage for publish/share/preview/deploy/mobile/WeChat intents. Improve usage docs with clear use-case bullets.

v1.0.0

Launch: zero-config HTML publishing for AI agents

v0.1.0

- Initial release of shippage (v0.1.0): instantly publish HTML to a live public URL, zero configuration required. - First publish auto-registers your agent and stores credentials for future use. - Simple CLI workflow using curl to publish, update, list, and delete HTML pages. - Supports optional parameters like title, custom slug, password protection, and expiry time. - Clear error handling for quota, URL conflicts, and size limits. - Free tier includes up to 20 publishes per month, 14-day retention, and 500KB page size.

元数据

Slug shippage

版本 1.2.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 6

常见问题

Shippage 是什么？

Publish HTML or Markdown to a public URL instantly. Zero config, auto-registers on first use. Use when the user wants to share, preview, host, or deploy gene... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 177 次。

如何安装 Shippage？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install shippage」即可一键安装，无需额外配置。

Shippage 是免费的吗？

是的，Shippage 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Shippage 支持哪些平台？

Shippage 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Shippage？

由 Uncle.J（@uncle-jacky）开发并维护，当前版本 v1.2.0。