ClawHub

Amazon Pricing Command Center

Security checks across malware telemetry and agentic risk

Overview

This Amazon pricing skill is an API-backed research tool with some broader APIClaw CLI features, but the artifacts do not show hidden persistence, destructive behavior, or unrelated data theft.

Install only if you are comfortable sending Amazon ASINs, competitor/product context, pricing inputs, and possibly business assumptions to APIClaw. Use a dedicated APIClaw key with limited credits, avoid storing unrelated secrets in config files, and treat the bundled CLI as a broader Amazon product research tool even though the main skill is framed around pricing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill requires an environment secret (`APICLAW_API_KEY`) and instructs use of a local script plus external API access, yet it does not declare corresponding permissions in a way that transparently constrains runtime capabilities. This creates a trust and review gap: operators may approve a seemingly narrow pricing skill without realizing it can read env vars, files, and make network calls, increasing the risk of secret misuse or unexpected data access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented skill purpose is a focused pricing advisor, but the underlying referenced script reportedly supports broad Amazon research, monitoring, review analysis, connectivity testing, and other unrelated workflows. This mismatch is dangerous because users and reviewers may grant access based on a narrow use case while the actual tool surface enables substantially wider data retrieval and actions, making abuse or over-collection harder to detect.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The reference file is materially misaligned with the declared skill purpose: it documents a 'Market Entry Analyzer' workflow rather than a pricing intelligence agent. This kind of documentation drift is dangerous because it can cause the agent or maintainers to invoke broader, irrelevant endpoints and apply the wrong analytical logic, leading to over-collection of data, incorrect decisions, and weakened reviewability of the skill's behavior.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The inline endpoint-purpose table explicitly maps endpoints to market-entry workflow steps that contradict the skill's stated repricing/pricing-analysis purpose. In an agent setting, contradictory operational guidance can steer the system toward unintended behavior, expanding data access and producing outputs outside user intent, which increases both security and reliability risk.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger text is very broad and matches common pricing conversations, which can cause the skill to activate in many routine chats where the user did not intend to invoke an external API-backed research workflow. In context, that is more dangerous because this skill can consume credits, process seller/product identifiers, and leverage broader underlying capabilities than its name suggests.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The script silently reads credentials from a local config.json in the skill directory during normal execution, creating an implicit secret-access behavior that may surprise users or reviewers. In this skill context, that matters because the tool also performs outbound API calls, so locally sourced credentials are immediately used for external transmission without an explicit runtime disclosure or consent boundary.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The self-check command reads ~/.apiclaw/config.json without prior warning, which expands secret-access scope from the skill directory to the user's home directory. In a hosted agent setting, undisclosed reads of home-directory credential material are sensitive because they normalize credential discovery behavior and may access secrets the operator did not intend this skill to use.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal