ClawHub
Back to skill
v1.2.2

Amazon Product Research & Seller Analytics

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:42 AM.

Analysis

The skill appears purpose-aligned for Amazon product research, but users should notice that it uses an API key, runs a local helper script, and has some version/provenance metadata inconsistencies.

GuidanceThis looks like a coherent API-backed Amazon research skill. Before installing, verify the source/version because the package metadata is inconsistent, use a dedicated APIClaw key if possible, prefer the `APICLAW_API_KEY` environment variable over `config.json`, and be aware that full analyses may make multiple API calls using your account quota.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
`scripts/apiclaw.py` | **Execute** for all API calls

The skill directs the agent to run a bundled Python helper script for API requests; this is disclosed and central to the product analytics purpose.

User impactUsing the skill may run local Python commands that send your requested product, ASIN, category, or keyword queries to APIClaw.
RecommendationUse the skill for intended Amazon research tasks and review command/output details when performing large or credit-consuming analyses.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
_meta.json
"ownerId": "kn7berv3s1me12v17sxktkd5g182rj3t", "slug": "amazon-analysis-skill", "version": "0.1.6"

This differs from the registry metadata shown for the evaluated package, which lists a different owner ID, slug, and version; this is a provenance/versioning inconsistency rather than direct evidence of malicious behavior.

User impactUsers may have less certainty that the packaged artifact exactly matches the registry listing or homepage version they expected.
RecommendationVerify the package source and version against the project homepage before installing in a sensitive workspace.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Required: `APICLAW_API_KEY` ... Scope: used only for `https://api.apiclaw.io`

The skill requires a service API key and says it is scoped to APIClaw, which is expected for the stated API-backed product research purpose.

User impactThe skill can use your APIClaw credential and may consume your account quota when making product research requests.
RecommendationUse a dedicated APIClaw key if possible, set it as an environment variable, and rotate or revoke it if you stop using the skill.
Identity and Privilege Abuse
SeverityLowConfidenceMediumStatusNote
README.md
Config file: Tell your AI agent your key — it saves to `config.json` automatically

The documentation describes an on-disk config fallback for the API key, which is more persistent than the preferred environment-variable setup and is somewhat inconsistent with SKILL.md's instruction not to write keys to disk.

User impactIf used, the API key may be stored locally in the skill directory and could be exposed if that directory is shared or backed up insecurely.
RecommendationPrefer `APICLAW_API_KEY` as an environment variable and avoid saving the key in `config.json` unless you understand and accept the local storage risk.