Back to skill

Security audit

clawec-amazon-aba-selection

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed ClawEC API helper for Amazon ABA market analysis and does not show hidden, destructive, or unrelated behavior.

Install only if you intend to use ClawEC for Amazon ABA analysis. Provide a CLAWEC_API_KEY only for that service, avoid hardcoding it, and review the returned account/search logs because they may contain your ClawEC market research history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs use of environment variables and shell scripts/curl commands but does not declare corresponding permissions. This creates a capability/permission mismatch that can undermine least-privilege controls and surprise the hosting agent into exposing secrets or shell execution paths that were not explicitly reviewed. In this context, the skill also handles an API key, so undeclared env access is more sensitive than a purely informational skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.