ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon PA-API Integration

v1.0.0

Search Amazon products and get product details using Amazon Product Advertising API (PA-API). Use for product searches, price lookups, and affiliate links.

0· 51·0 current·0 all-time
by@akkualle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's purpose (calling Amazon Product Advertising API) legitimately requires AMAZON_ACCESS_KEY, AMAZON_SECRET_KEY, and AMAZON_PARTNER_TAG — those credentials are proportionate to the stated function. However, the registry metadata claims no required env vars while the SKILL.md metadata declares three required env vars; that inconsistency weakens trust in the packaging.
!
Instruction Scope
SKILL.md instructs the agent to use CLI tools named amazon-search and amazon-product, but there is no install spec, no bundled binaries, and the registry lists no required binaries. This leaves unclear how those commands are provided or executed. The instructions otherwise only refer to Amazon API host/region and the PA-API credentials (expected), and do not ask to read unrelated local files.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which is low disk/write risk. But because the instructions assume external CLI tools that are not provided, it's unclear whether the agent will attempt to call nonexistent commands, fallback to other behaviors, or attempt to download/install tooling at runtime — that ambiguity is concerning.
Credentials
The three Amazon PA-API credentials requested in SKILL.md are appropriate for the stated purpose. However the registry metadata does not declare these required env vars (mismatch). SKILL.md also mentions optional AMAZON_HOST and AMAZON_REGION that are not declared as required; the skill's declared/actual credential requirements are inconsistent.
!
Persistence & Privilege
SKILL.md metadata includes always: true (force-include), which is a significant privilege if accurate. The registry flags show always:false — this conflict is noteworthy because if the skill is actually always-enabled it widens exposure of supplied credentials. Confirm which source is authoritative before installing.
What to consider before installing
What to check before installing: 1) Confirm the authoritative source and homepage/author — this skill has no source URL or repo. 2) Ask the author how amazon-search and amazon-product are provided (install package, wrapper, or expected preinstalled CLI). Do not supply API keys until you understand where code runs. 3) Resolve the metadata mismatch: registry says no env vars and no always flag, SKILL.md requires PA-API keys and sets always:true — ask which is correct. 4) If you must test, use isolated environment and short-lived/limited credentials (dedicated PA-API keys or rotated keys / limited-scope account), and monitor usage; do not reuse production AWS credentials. 5) Prefer a skill with a verifiable source (GitHub release or official package) and an install spec that clearly provides the required binaries. If the author cannot clarify these inconsistencies, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk977f9jfahqthy6q779ygcys2d83pb71

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments