Amazon Product Research & Seller Analytics
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a coherent Amazon product-research integration that uses an APIClaw key and local Python helper to query APIClaw, with no artifact-backed malicious behavior found.
Before installing, confirm you trust APIClaw with your Amazon research queries, set the API key via environment variable rather than chat or config files when possible, and verify the release version because the registry and documentation versions do not fully match.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill gives the agent access to your APIClaw API key for APIClaw requests, which may consume quota and should be protected like any service credential.
The skill needs a provider API key and can read it from either an environment variable or a local config file. This is disclosed and purpose-aligned, but it is still credential handling.
Required: `APICLAW_API_KEY` ... Scope: used only for `https://api.apiclaw.io` ... Fallback: The script also checks `config.json` in the skill root directory if the env var is not set.
Use APICLAW_API_KEY as an environment variable, avoid pasting keys into chat, and rotate the key if it is accidentally exposed.
The agent may run several provider API calls during analysis, which can reveal research queries to APIClaw and consume API credits.
The skill instructs the agent to execute a local Python CLI and, if needed, make direct curl calls to the provider. This is central to the research function, but it means the agent can initiate external API requests.
`scripts/apiclaw.py` | **Execute** for all API calls ... Fallback: If script fails and can't be quickly fixed, use curl directly.
Review requested analyses before large runs, especially bulk ASIN or competitor workflows, and monitor APIClaw credit usage.
Users may have difficulty confirming whether the installed skill, documentation, and security policy refer to the same release.
The provided artifacts are internally inconsistent about the version being reviewed. This does not show malicious behavior, but it is a provenance and release-hygiene issue.
Registry metadata Version: 1.2.1; SKILL.md frontmatter shows version: 1.1.5; SECURITY.md lists supported version 1.1.x.
Verify the installed package against the upstream repository and prefer a release where registry metadata, SKILL.md, and security documentation agree.