Back to skill

Security audit

clawec-amazon-asin-traffic-source

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow ClawEC API helper for Amazon ASIN traffic-source analysis, with its network use and API-key handling visible in the artifacts.

Before installing, confirm you are comfortable giving the skill access to your ClawEC API key and sending ASIN, marketplace, month, and related query choices to ClawEC. Use a scoped or revocable API key if available, and avoid running the scripts in environments where CLAWEC_API_KEY is shared with unrelated tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs use of environment variables and shell commands (`curl`, `bash scripts/*.sh`) but does not declare corresponding permissions. This creates a capability/permission mismatch that can bypass user expectations and platform controls, especially if an agent executes shell or reads `CLAWEC_API_KEY` from the environment without explicit authorization.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.