Back to skill

Security audit

clawec-amazon-keyword-selection

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward ClawEC API helper for Amazon keyword research, with disclosed API-key use and no evidence of hidden or destructive behavior.

Install only if you intend to use ClawEC for Amazon keyword research. Provide a CLAWEC_API_KEY you are comfortable using with clawec.com, and remember that searches and log lookups are sent to that service under your account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs use of environment variables and shell scripts/curl commands but does not declare corresponding permissions. This creates a capability mismatch: an agent or reviewer may underestimate that the skill can access secrets and execute shell-based network calls, increasing the risk of unintended secret exposure or unsandboxed command execution in environments that rely on declared permissions for policy decisions.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.