ClawHub

Amazon Review Workbook

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the stated Amazon review workbook job, but it asks users to expose a logged-in Chrome profile through remote debugging and lacks strong safeguards around that access.

Install only if you are comfortable giving the skill temporary access to a logged-in Amazon browser session. Use a dedicated temporary Chrome profile, keep the debug port local, close it after scraping, use only trusted DeepLX endpoints, and delete local caches/exports when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to run local Python scripts that access environment variables, read and write arbitrary workspace files, and make network requests to Amazon, Chrome DevTools on port 9222, and optionally DeepLX, yet it declares no permissions or trust boundaries. That mismatch is dangerous because users and the host system are not given an explicit capability contract, increasing the chance of silent data access, SSRF-like local service access, or unintended exfiltration through translation/network steps.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes optional transmission of review content to a DeepLX endpoint for translation, but it does not warn users that customer review text may be sent to a third-party or self-hosted service outside the local workflow. This creates a real privacy and data-governance risk because scraped data may contain personal data, usernames, links, and other content that operators may not realize they are disclosing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README instructs users to launch a logged-in Chrome instance with remote debugging enabled on port 9222, but does not prominently warn that DevTools access can provide broad control over the browser session, including authenticated Amazon context. If the debugging port is exposed beyond localhost or accessed by another local process, an attacker could hijack the logged-in session, inspect page data, or automate actions as the user.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The description uses broad trigger language such as handling Amazon links, review scraping, competitor review analysis, review export, and delivery-ready spreadsheets, which makes over-invocation more likely for ordinary user requests. In context, that can cause the agent to launch a high-capability workflow involving browser session reuse, file generation, and network activity when the user may have only asked for analysis or summarization.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructs users to launch Chrome with remote debugging enabled against their normal logged-in profile and exposes it on localhost:9222 without an explicit security warning or safer isolation guidance. Any local process, malicious browser extension, container escape, or other code running as the user could connect to the DevTools endpoint and read cookies, session data, page contents, or drive the authenticated browser, which is especially sensitive for an Amazon-logged-in session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code batches review text and sends it to an external DeepLX service for translation without an in-flow warning, consent checkpoint, or clear disclosure at the point of transfer. Even if the source data is publicly posted reviews, exporting collected text to a third-party service creates a real data-sharing boundary that users may not expect, especially when the tool also enriches and caches data across runs.

Natural-Language Policy Violations

Low
Confidence
89% confidence
Finding
When DeepLX is unavailable, the tool instructs the operator to send pending review texts to a specific AI service for translation. That fallback encourages manual disclosure of collected content outside the defined processing pipeline and outside any coded controls, auditing, or minimization safeguards.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script reads an API key and endpoint from environment/.env and then transmits user-derived review text plus credentials to an external translation service, but this file contains no disclosure, consent gate, or trust check. In a workbook/export skill handling scraped content, silent transmission to an external service can create privacy, data-handling, and credential-exposure risk, especially if DEEPLX_API_URL is pointed at a third-party or attacker-controlled server.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The workflow persists cached labeling data to a local JSONL file, and elsewhere in the file that cache is populated with semantic fields derived from review text, including translated text, summaries, sentiment, categories, and tags. In the context of a review-scraping skill, this creates a data-retention and privacy risk because user-collected review content and derived annotations may remain on disk without clear consent, retention controls, encryption, or minimization.

Ssd 3

Medium
Confidence
93% confidence
Finding
The fallback path explicitly encourages transferring all pending review text to a human or external AI for translation, which broadens data exposure beyond the tool's normal pipeline. In this skill context, the danger is elevated because the tool is designed for bulk scraping and workbook generation, so a single fallback action can disclose large volumes of collected content at once.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal