Shipment Tracker

Name/description match the implementation: the script parses a shipments markdown file, detects carrier patterns, builds carrier tracking URLs, and performs HTTPS GETs to carrier pages. There are no unrelated permissions, binaries, or credentials requested.

Runtime instructions and the script are scoped to reading a single markdown file and making read-only HTTPS requests. However, the SKILL.md explicitly supplies an optional 'browser-use' command that sends tracking numbers and URLs to a cloud browser/LLM service for JS-heavy pages; that step transmits user shipment data outside the local machine and is a privacy decision the user must make.

No install spec or external downloads are provided (instruction-only skill + included Python script). Nothing is written to disk by an installer; risk from installation is low. The optional dependency 'browser-use' is noted but not auto-installed by the skill.

The skill requests no environment variables or credentials, which is appropriate. One caveat: the optional browser-use flow relies on a third-party module/service that may require credentials or send data to external providers; those network interactions are not controlled via declared env vars in the skill metadata.

The skill does not request permanent presence (always:false), does not modify other skills or system configs, and performs only read operations on a specified file and outbound HTTPS GETs.