Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Amazon Review Workbook
v1.0.3Collect all customer reviews from an Amazon product URL or product-reviews URL through a logged-in Chrome session on port 9222, export a 14-column factual wo...
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the included scripts: the code scrapes Amazon review pages through a Chrome remote-debugging session (localhost:9222), builds factual JSON/workbooks, offers optional DeepLX translation, and provides tagging/merge tooling. Nothing in the repository requests unrelated cloud credentials or surprising capabilities.
Instruction Scope
SKILL.md instructs the agent/operator to run the included Python CLI scripts and to launch Chrome with --remote-debugging-port=9222 using a profile logged into Amazon. This is coherent with the scraping use case, but connecting to a logged-in Chrome profile exposes that browser session (cookies, authenticated views) to the script via the Chrome DevTools Protocol — the user should understand that the script will access the pages and session state available to that profile.
Install Mechanism
There is no automated install spec; this is an instruction-only skill with bundled Python scripts. Dependencies are documented (pandas, openpyxl, requests, websocket-client) and must be installed by the operator. No remote binary downloads or installers are present.
Credentials
Registry metadata lists no required env vars, but the code supports optional DEEPLX_API_URL and DEEPLX_API_KEY (read from environment or .env files) for translation. The scripts will read those specific values and will POST review text to the configured DeepLX host if set. That behavior is expected for optional translation, but the metadata omission is an inconsistency and users must avoid putting sensitive secrets into repository-tracked .env files and should trust any external translation endpoint they configure.
Persistence & Privilege
The skill does not request permanent/always-on inclusion and does not modify other skills. It writes output artifacts and an SQLite cache under the chosen output directory (default amazon-review-output). Those writable files are normal for this workflow.
Assessment
This skill appears to do what it claims: scrape Amazon reviews via a locally running, logged-in Chrome session and produce deliverable spreadsheets. Before using it: 1) Understand that you must launch Chrome with remote debugging and a profile logged into Amazon — the script can access that browser session (cookies, authenticated pages). Only run it on a machine/profile you trust to be used for scraping. 2) If you enable automatic translation, you must set DEEPLX_API_URL (and optionally DEEPLX_API_KEY); translations will be POSTed to that URL, so only configure trusted endpoints and avoid committing real .env files with secrets into git. 3) Install the documented Python dependencies and run unit tests if desired. 4) The registry metadata did not declare the optional DeepLX env vars—treat that as a minor metadata inconsistency and review the deeplx_translate.py file and any .env before use. If you want extra assurance, inspect/grep the bundled scripts for network calls (requests, websocket usage) and run the 'doctor' command on a harmless product URL first to observe behavior.scripts/amazon_review_workbook.py:741
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
amazonvk972bsb4krb51p6sfmcz6xzzsh844t52automationvk972bsb4krb51p6sfmcz6xzzsh844t52latestvk972bsb4krb51p6sfmcz6xzzsh844t52reviewsvk972bsb4krb51p6sfmcz6xzzsh844t52translationvk972bsb4krb51p6sfmcz6xzzsh844t52workbookvk972bsb4krb51p6sfmcz6xzzsh844t52
License
MIT-0
Free to use, modify, and redistribute. No attribution required.