ClawHub

Keepa Api

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Keepa API helper, but users need to protect their Keepa API key because it may be stored locally and sent in request URLs.

Install only if you are comfortable using a Keepa API key with this tool. Prefer KEEPA_API_KEY over a checked-in CONFIG.md file, keep any config file out of shared repositories, restrict local file access where possible, and rotate the key if it appears in logs or shared command output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to use shell commands such as `curl`, `jq`, and filesystem checks, but no explicit permissions or capability declarations are documented. This creates a mismatch between the skill's effective behavior and its declared trust boundary, which can lead to unexpected command execution and make review and runtime enforcement harder.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells users to store the Keepa API key in plaintext in `.teamclaw-skills/keepa-api/CONFIG.md` or `~/.teamclaw-skills/keepa-api/CONFIG.md` without any warning about secrecy, file permissions, redaction, or safer storage. Plaintext local credential storage increases the risk of accidental disclosure through backups, repo commits, logs, or other local users/processes reading the file.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly instructs users to place the API key in the URL query string. Query-string credentials are commonly exposed through browser history, logs, reverse proxies, monitoring systems, referrer leakage, and copied command histories, so documenting this pattern without any warning or safer handling guidance creates a real secret-exposure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script places the API key directly in the request URL query string. Even over HTTPS, secrets in URLs can be exposed through shell history, process listings, proxy logs, debugging output, or monitoring systems, making credential leakage more likely than if a header or request body were used.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal