Amazon Product Research & Seller Analytics

Security checks across malware telemetry and agentic risk

Overview

This Amazon seller analytics skill is mostly legitimate, but it needs review because it includes nationality-based seller profiling heuristics and some overly broad activation guidance.

Review before installing. Use an environment variable for the API key, avoid pasting secrets into chat or storing them in config.json unless you control file permissions, and only allow API calls for clear Amazon seller-research tasks. Avoid or rewrite the Chinese seller workflow unless it is limited to verified seller-location fields and does not infer nationality from names, brands, or category stereotypes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This workflow explicitly instructs the agent to classify sellers as Chinese using nationality/location signals and, when those are missing, to infer origin from names, brand patterns, and product-category heuristics. That creates sensitive-attribute profiling and unreliable ethnicity/national-origin inference, which can enable discriminatory recommendations and false accusations based on weak proxies.

Description-Behavior Mismatch

Low

Confidence: 86% confidence
Finding: The script loads credentials not only from the declared environment variable but also from a local config.json in the skill directory. In an agent/skill ecosystem, expanding credential sources beyond the manifest increases the chance of silently consuming unexpected local secrets or persisting credentials in repo-adjacent files that may be mishandled.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README instructs users to give the API key directly to the AI agent so it can save the credential into config.json automatically, but it does not explain storage location, file permissions, retention, or exposure risks. In an agent skill context, encouraging secret disclosure to the model/runtime increases the chance the key is logged, echoed in chat history, persisted insecurely, or exfiltrated by other tools or prompts.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrases for comprehensive product recommendations are broad enough to match ordinary conversational requests such as 'help me choose' or 'what should I sell' without sufficient domain qualification. Overbroad activation can cause the skill to run in contexts the user did not intend, leading to unnecessary data collection, irrelevant tool use, and increased exposure to downstream risky workflows.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger 'Chinese sellers' is ambiguous and can activate the workflow for broad or exploratory queries without clarifying the user's legitimate business purpose. Because the underlying section performs nationality-focused seller analysis, loose triggering increases the chance of inappropriate profiling or discriminatory analysis being initiated too easily.

Natural-Language Policy Violations

Medium

Confidence: 96% confidence
Finding: This section is designed around analyzing and comparing sellers by national origin, with no documented necessity, consent, or non-discriminatory constraint. In the context of an Amazon seller analytics skill, that makes the feature more dangerous because it operationalizes protected-trait segmentation as a product capability rather than incidental metadata use.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrase "can I do this" is highly ambiguous and could match many unrelated user requests, causing this skill to activate outside its intended Amazon product-risk context. In an agent setting, over-broad invocation can route sensitive or irrelevant conversations into the skill, leading to incorrect tool use, unwanted API calls, or misleading business advice.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The phrase "what do users want" is overly broad and can be triggered by generic consumer-behavior questions unrelated to Amazon category analytics. This increases the chance of unintended skill activation, which can misroute queries and produce irrelevant or misleading analysis based on category-review tooling.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrase set around listing generation includes very generic requests like 'write listing' and 'write title', which can overlap with ordinary writing or ecommerce-help requests outside the intended Amazon/APIClaw context. This can cause the skill to activate unexpectedly, exposing seller analytics behavior, prompting for business data, or steering a conversation into external-tool workflows when the user did not intend that scope.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The competitor-analysis triggers include broad phrases like 'what are they saying' and 'their selling points', which are ambiguous in general conversation and insufficiently scoped to Amazon competitor listings. Such ambiguity increases the risk of unintended skill activation, causing the agent to interpret unrelated discussion as permission to analyze competitors or invoke product-research flows.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The load condition explicitly says to load for pricing strategy, profit estimation, or listing reference tasks, which is broad enough to activate this skill for generic pricing or listing requests that may not actually require Amazon seller analytics. Over-broad activation increases the chance the agent invokes external-commerce tooling in the wrong context, causing irrelevant data access, unnecessary API use, or misleading task routing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal