ClawHub

Amazon Analysis

Security checks across malware telemetry and agentic risk

Overview

This Amazon research skill mostly does what it says, but it has under-scoped high-impact metadata and instructions that can hide data-quality problems or infer seller nationality from weak signals.

Install only after confirming whether the crypto and purchase capability tags are intentional and removable or strictly controlled. Prefer APICLAW_API_KEY via environment variable, use a dedicated API key, protect any config file, and monitor credit usage. Treat reports as directional, especially when data is missing or estimated, and avoid the Chinese-seller workflow unless it is rewritten to use only explicit source-provided country metadata with clear limitations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation indicates access to environment variables, local files, and networked API calls, but it does not declare corresponding permissions. This creates a transparency and least-privilege problem: operators may approve or run the skill without understanding that it can read secrets and files and transmit data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented purpose is narrower than the behavior described by the analysis finding, which includes additional data collection, historical tracking, review/consumer-insight extraction, and unattended composite workflows. Description-behavior mismatch is dangerous because it can conceal materially broader data processing and automation than a user expects, increasing the chance of unauthorized or privacy-impacting use.

Intent-Code Divergence

Low
Confidence
81% confidence
Finding
The file gives conflicting credential-handling guidance by saying the API key is stored in config.json while the metadata requires an environment variable. Inconsistent secret storage instructions often lead users to place credentials in local files unnecessarily, increasing exposure through accidental commits, backups, or broader file-read access.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The workflow explicitly supports identifying, filtering, and ranking sellers by inferred Chinese origin, which introduces nationality-based profiling unrelated to core product-market analysis. It becomes more dangerous because the file goes beyond factual fields and encourages inference about identity, enabling discriminatory targeting and unreliable seller classification.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
These instructions tell the agent to infer seller nationality from speculative signals such as pinyin-like names, suffix patterns, or product-category stereotypes. That is unsafe because the heuristics are unreliable, likely to produce false attributions, and normalize profiling-based decisions against a protected or sensitive characteristic.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill documentation states the API key comes from the APICLAW_API_KEY environment variable, but the code also loads credentials from a local config.json in the skill directory. This broadens the credential ingestion surface and can cause operators to place secrets in workspace files that are easier to leak, commit, or expose through other tooling.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The credential section instructs users to obtain and store an API key but does not warn about sensitive-secret handling. Without explicit guidance, users may paste keys into insecure files or repositories, which can lead to credential leakage and unauthorized API usage.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The instruction to 'not expose the issue to users' causes the agent to conceal when competitor discovery fell back due to an empty endpoint response. In a seller-intelligence skill, hiding data-source gaps can materially mislead users about confidence, coverage, and reliability of competitive conclusions.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The guide directs the skill to silently substitute rating-breakdown data when review analysis lacks sufficient reviews. That hides an important methodological limitation and may present weaker proxy data as equivalent to direct review analysis, overstating the quality of consumer-insight conclusions.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
A blanket rule to never expose error details encourages suppression of material limitations rather than calibrated disclosure. In this context, users depend on the tool for business decisions, so obscuring failures can lead to overtrust in incomplete or partially failed analyses.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
Forbidding mention of fallback, degraded, or retry conditions in provenance prevents users from seeing whether the report relied on lower-quality or substitute data paths. In an analysis/reporting skill, provenance is specifically where such caveats belong, so suppressing them undermines auditability and informed decision-making.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The broad trigger for 'Chinese sellers' can activate a nationality-focused profiling workflow with little contextual constraint or user justification. Because the underlying workflow performs sensitive seller segmentation, the loose trigger materially increases the chance of inappropriate or discriminatory use.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
This section operationalizes analysis of sellers by nationality without any documented necessity, user choice safeguards, or policy boundary. In the context of an Amazon seller intelligence skill, that expands the tool from market research into identity-based segmentation, increasing the risk of discriminatory decisions and misuse.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "pain points" is generic and commonly appears in ordinary product-feedback, UX, marketing, and customer-research conversations. In an agent skill system, this can cause over-broad invocation, exposing seller-intelligence workflows and external API usage in contexts where the user did not intend Amazon-specific analysis, increasing the chance of unnecessary data access, tool execution, or misleading scope escalation.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The phrase "can I do this" is highly ambiguous and can match a vast range of unrelated user requests. In a tool-enabled agent, such broad activation can incorrectly route benign or unrelated queries into a risk-assessment workflow that may trigger market, competitor, or review-analysis actions without clear user intent, creating confusion and unintended external API use.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Phrases such as "what do users want" and "who is buying" are broad, cross-domain research prompts that could match many non-Amazon conversations. Because this skill performs category consumer-insight analysis through an external API, overly generic triggers raise the risk of accidental invocation, unnecessary data processing, and agent behavior that exceeds the user's intended scope.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases for competitive listing analysis are broad enough that normal user requests about competitor messaging or selling points could activate this skill outside a clearly scoped Amazon seller-analysis workflow. In an agent environment, unintended activation can cause unnecessary API calls, incorrect tool selection, and exposure of seller-intelligence behavior when the user only wanted generic writing or comparison help.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Phrases like 'write listing', 'generate bullet points', or 'help me write product page' are common everyday requests and are not sufficiently constrained to Amazon-specific seller operations. This increases the chance that the agent invokes this skill for unrelated marketing or e-commerce tasks, leading to misrouting, unnecessary external data access, and possibly using competitor-analysis workflows when the user did not intend that scope.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Requests such as 'optimize my listing' or 'what's wrong with my listing' are ambiguous and could refer to many platforms or even non-commerce content, making accidental activation likely. In this skill, activation leads into competitor pulls, product lookups, and review analysis, so poor scoping raises the risk of over-collection, wasted API usage, and user confusion about why Amazon-specific intelligence actions were taken.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance is broad enough to load this scenario for generic pricing, profit, or listing reference tasks, even when the user may not specifically need Amazon seller intelligence. Over-broad triggering can cause unnecessary access to external data tooling and increase the chance the agent applies domain-specific workflows in unrelated contexts, which is a prompt-scoping/security issue for agent skills.

Ssd 4

Medium
Confidence
97% confidence
Finding
The fallback logic progressively weakens evidence standards for labeling sellers as Chinese, ending in subjective pattern matching and category-based assumptions. This is dangerous because it systematizes speculative profiling and can produce false, biased classifications that users may treat as authoritative.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal