tooltrust-directory/data/reports/secureship-docs.json at main · AgentSafe-AI/tooltrust-directory · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
{
  "tool_id": "secureship-docs",
  "version": "smithery",
  "grade": "B",
  "risk_score": 17,
  "scan_date": "2026-04-19T02:22:14.056503114Z",
  "scanner": "tooltrust-scanner/v0.3.8",
  "source_url": "https://smithery.ai/server/secureship/docs",
  "vendor": "Smithery",
  "description": "Secureship MCP gives AI assistants access to a multi-carrier shipping API covering rate comparison, label generation, package tracking, pickup scheduling, address book management, shipment history, customs documents, and more — across carriers like UPS, FedEx, Purolator, Canpar, and others. Browse 150+ live endpoint schemas, parameters, and auth details — always current, never stale.\n\nSecureship isn't just for shipping with one carrier — it's a multi-carrier shipping platform, and this MCP server gives AI assistants full access to the API documentation for every supported action: compare rates across carriers, generate shipping labels, track packages, schedule pickups, manage address books, review shipment history, produce customs documents, handle invoices, and even perform actions available on the Secureship web dashboard — all through a single API.\n\nThe MCP documentation server exposes live endpoint metadata pulled directly from the running application — not static docs that go stale. That means AI assistants always get the correct paths, parameters, request bodies, response schemas, and authentication requirements for 150+ endpoints.\n\nRead-only, public, no API key needed to browse. Authentication for the actual shipping API uses a simple X-API-KEY header.\n\n**Tools exposed:**\n- SearchDocs — keyword search across all API endpoints\n- GetEndpointDetail — full schema for a specific endpoint (params, request body, responses, auth)\n- ListEndpoints — list all endpoints, optionally filtered by category\n- GetAuthInfo — authentication instructions (X-API-KEY header)\n\n**Categories:** Shipping, logistics, e-commerce, carriers, rates, labels, tracking, address book, customs documents, shipment history",
  "findings": [
    {
      "id": "AS-002",
      "severity": "Medium",
      "title": "Excessive Permission Surface",
      "description": "tool declares fs permission",
      "recommendation": "Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.",
      "tool_name": "get_endpoint_detail"
    },
    {
      "id": "AS-002",
      "severity": "Low",
      "title": "Excessive Permission Surface",
      "description": "tool declares http permission",
      "recommendation": "Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.",
      "tool_name": "get_endpoint_detail"
    },
    {
      "id": "AS-011",
      "severity": "Low",
      "title": "DoS Resilience — Missing Rate Limit / Timeout",
      "description": "tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration",
      "recommendation": "Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent.",
      "tool_name": "get_endpoint_detail"
    },
    {
      "id": "AS-014",
      "severity": "Info",
      "title": "DEPENDENCY_INVENTORY_UNAVAILABLE",
      "description": "Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.",
      "recommendation": "Review and remediate the identified issue.",
      "tool_name": "get_endpoint_detail"
    },
    {
      "id": "AS-014",
      "severity": "Info",
      "title": "DEPENDENCY_INVENTORY_UNAVAILABLE",
      "description": "Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.",
      "recommendation": "Review and remediate the identified issue.",
      "tool_name": "get_auth_info"
    },
    {
      "id": "AS-002",
      "severity": "High",
      "title": "Excessive Permission Surface",
      "description": "tool declares network permission",
      "recommendation": "Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.",
      "tool_name": "search_docs"
    },
    {
      "id": "AS-011",
      "severity": "Low",
      "title": "DoS Resilience — Missing Rate Limit / Timeout",
      "description": "tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration",
      "recommendation": "Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent.",
      "tool_name": "search_docs"
    },
    {
      "id": "AS-014",
      "severity": "Info",
      "title": "DEPENDENCY_INVENTORY_UNAVAILABLE",
      "description": "Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.",
      "recommendation": "Review and remediate the identified issue.",
      "tool_name": "search_docs"
    },
    {
      "id": "AS-014",
      "severity": "Info",
      "title": "DEPENDENCY_INVENTORY_UNAVAILABLE",
      "description": "Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.",
      "recommendation": "Review and remediate the identified issue.",
      "tool_name": "list_endpoints"
    }
  ],
  "summary": {
    "critical": 0,
    "high": 1,
    "medium": 1,
    "low": 3,
    "info": 4
  },
  "methodology": "https://github.com/AgentSafe-AI/tooltrust-directory/blob/main/docs/methodology.md",
  "tool_names": [
    "get_auth_info",
    "get_endpoint_detail",
    "list_endpoints",
    "search_docs"
  ],
  "tool_contexts": [
    {
      "tool_name": "get_endpoint_detail",
      "action": "ALLOW",
      "grade": "B",
      "behavior": [
        "reads_files",
        "uses_network"
      ],
      "dependency_visibility": "No dependency data",
      "dependency_note": "No metadata.dependencies or repo_url were exposed by this MCP server."
    },
    {
      "tool_name": "get_auth_info",
      "action": "ALLOW",
      "grade": "A",
      "dependency_visibility": "No dependency data",
      "dependency_note": "No metadata.dependencies or repo_url were exposed by this MCP server."
    },
    {
      "tool_name": "search_docs",
      "action": "ALLOW",
      "grade": "B",
      "behavior": [
        "uses_network"
      ],
      "dependency_visibility": "No dependency data",
      "dependency_note": "No metadata.dependencies or repo_url were exposed by this MCP server."
    },
    {
      "tool_name": "list_endpoints",
      "action": "ALLOW",
      "grade": "A",
      "dependency_visibility": "No dependency data",
      "dependency_note": "No metadata.dependencies or repo_url were exposed by this MCP server."
    }
  ],
  "scan_history": [
    {
      "scan_date": "2026-04-17T02:15:50Z",
      "grade": "B",
      "risk_score": 17,
      "version": "smithery"
    },
    {
      "scan_date": "2026-04-18T01:59:28Z",
      "grade": "B",
      "risk_score": 17,
      "version": "smithery"
    }
  ]
}