Skillv1.0.0

ClawScan security

Amazon Listing Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 14, 2026, 8:02 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and resource needs are consistent with its stated purpose (scraping and analyzing Amazon listings); it requires no secrets or unusual installs and only communicates with Amazon endpoints and the local filesystem.
Guidance: This skill appears internally coherent and does what it says: it scrapes Amazon pages and the Amazon autocomplete endpoint, analyzes the HTML/JSON, and saves reports locally. Things to consider before installing or running it: 1) scraping Amazon can trigger rate limits, CAPTCHAs, or violate Amazon's terms of service — runs use your machine's IP and may be blocked if used heavily; 2) the scripts save scraped data to reports/ in the skill folder — review these files for any sensitive data you don't want stored locally; 3) the publisher/homepage is unknown, so if you plan to run code on a production machine, inspect the scripts yourself (they are included) and consider running them in an isolated environment (container or VM); 4) although no secrets are requested, network requests to amazon.* domains reveal your IP and timing; if that is a concern, run behind a proxy. Overall the skill is coherent and proportionate for its stated purpose, but review and sandbox before broad use.

Purpose & Capability: okName/description match what the skill does: included Python scripts fetch Amazon pages and autocomplete suggestions, parse listing data, score components, extract keywords, and write local reports. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope: okSKILL.md instructs the agent to run the included Python scripts. The scripts only perform HTTP(S) requests to Amazon domains, parse HTML/JSON, print output, and save JSON reports under the skill's reports/ directory. There are no instructions to read unrelated system files, access environment secrets, or send data to third-party endpoints outside of amazon.* domains.
Install Mechanism: okNo install spec is provided and the code is pure-stdlib Python; nothing is downloaded or written during install. This is low-risk from an installation standpoint.
Credentials: okThe skill declares no required environment variables, credentials, or config paths, and the scripts do not attempt to read hidden env vars. Network access to Amazon endpoints is necessary for the claimed functionality and is proportionate.
Persistence & Privilege: noteThe skill does write reports to a local reports/ directory (creates files under the skill path) but does not request permanent platform-level privileges or modify other skills. always is false and autonomous invocation is permitted by default (normal for skills).