ClawHub
Back to skill
v1.2.1

Amazon Product Research & Seller Analytics

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:23 AM.

Analysis

This skill is a coherent Amazon product-research integration that uses an APIClaw key and local Python helper to query APIClaw, with no artifact-backed malicious behavior found.

GuidanceBefore installing, confirm you trust APIClaw with your Amazon research queries, set the API key via environment variable rather than chat or config files when possible, and verify the release version because the registry and documentation versions do not fully match.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
`scripts/apiclaw.py` | **Execute** for all API calls ... Fallback: If script fails and can't be quickly fixed, use curl directly.

The skill instructs the agent to execute a local Python CLI and, if needed, make direct curl calls to the provider. This is central to the research function, but it means the agent can initiate external API requests.

User impactThe agent may run several provider API calls during analysis, which can reveal research queries to APIClaw and consume API credits.
RecommendationReview requested analyses before large runs, especially bulk ASIN or competitor workflows, and monitor APIClaw credit usage.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Registry metadata Version: 1.2.1; SKILL.md frontmatter shows version: 1.1.5; SECURITY.md lists supported version 1.1.x.

The provided artifacts are internally inconsistent about the version being reviewed. This does not show malicious behavior, but it is a provenance and release-hygiene issue.

User impactUsers may have difficulty confirming whether the installed skill, documentation, and security policy refer to the same release.
RecommendationVerify the installed package against the upstream repository and prefer a release where registry metadata, SKILL.md, and security documentation agree.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Required: `APICLAW_API_KEY` ... Scope: used only for `https://api.apiclaw.io` ... Fallback: The script also checks `config.json` in the skill root directory if the env var is not set.

The skill needs a provider API key and can read it from either an environment variable or a local config file. This is disclosed and purpose-aligned, but it is still credential handling.

User impactInstalling and using the skill gives the agent access to your APIClaw API key for APIClaw requests, which may consume quota and should be protected like any service credential.
RecommendationUse APICLAW_API_KEY as an environment variable, avoid pasting keys into chat, and rotate the key if it is accidentally exposed.