ClawHub
Back to skill

Security audit

Amazon Product Research & Seller Analytics

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a legitimate Amazon research integration, but it needs Review because it combines API-key use and external API calls with broad activation language, inconsistent credential guidance, and nationality-based seller inference instructions.

Install only if you are comfortable sending Amazon research queries to APIClaw and using your APIClaw quota. Prefer a dedicated APICLAW_API_KEY in an environment variable, avoid telling an agent to save keys to config files, and treat the Chinese seller analysis guidance as unsafe unless revised to use only explicit sellerLocation data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill requires an environment secret, instructs reading local files such as `config.json`, and directs network access through a Python script, yet the metadata declares only `openclaw.requires` and no explicit permissions model. This creates a capability/permission mismatch: a host may expose env, file-read, and network behavior without clear review boundaries, increasing the chance of over-privileged execution or secret handling outside the intended API-only scope.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The workflow explicitly instructs the agent to infer whether sellers are Chinese using nationality/location proxies such as city names, pinyin-style names, naming patterns, and 'gibberish' brand heuristics when direct sellerLocation data is missing. This goes beyond ordinary product research and creates a profiling mechanism based on nationality/ethnicity-adjacent attributes, with a high risk of inaccurate or discriminatory classification and downstream biased recommendations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly tells users to give their API key to the agent and says it will be saved to config.json automatically, but provides no warning that the key is sensitive, no guidance on secure storage, and no discussion of exposure risks. In an agent skill context, this is more dangerous than a normal README because agents may log prompts, persist configs in insecure locations, or leak secrets through tool output, making accidental credential disclosure more likely.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description includes broad trigger phrases like product selection, finding products to sell, competitor tracking, risk assessment, and listing optimization, which overlap with many ordinary ecommerce conversations. Over-broad invocation guidance can cause the skill to auto-activate unintentionally, leading to unnecessary external API calls, use of sensitive environment-backed credentials, and disclosure of user prompts or business context to a third-party service.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list for the Chinese seller case study includes a very broad activation phrase ('Chinese sellers'), which can cause the skill to enter a sensitive nationality-focused analysis mode from ambiguous user input. Because that mode performs nationality inference heuristics and comparative profiling, broad triggering increases the chance of initiating discriminatory or unjustified analysis without clear user need or proper context.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase "can I do this" is overly broad and can match many unrelated user queries, causing the Amazon research skill to activate outside its intended domain. In an agent system, unintended activation can lead to irrelevant tool usage, unnecessary API calls, and misleading product/risk-analysis responses when the user was asking a generic question.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The line instructs the system to load this file for broad tasks like product expansion, trend discovery, or discontinuation decisions without clearly constraining when the skill should activate. In agent environments, overly broad routing language can cause the skill to be invoked in common commerce conversations, increasing the chance of unnecessary external API use, unintended data disclosure to third-party services, or actions based on weak/ambiguous user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases for competitive listing analysis are broad enough to match ordinary discussion about competitors or product messaging, which can cause the skill to activate outside the user's actual intent. In an agent setting, unintended activation can lead to unnecessary external API calls, irrelevant competitive analysis, and disclosure of marketplace-research behavior when the user only wanted general writing help.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The listing-copy generation trigger set includes generic phrases like writing or optimization requests that are common in many unrelated contexts. This increases the chance of accidental tool invocation, causing the agent to pull competitor and product data or shape responses around Amazon listing workflows when the user may only want generic copywriting assistance.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The optimization-diagnosis triggers are ambiguous and can overlap with normal editing or improvement requests, making unintended skill routing plausible. In this skill's context, that misrouting can initiate seller analytics flows and third-party API usage on vague requests, which creates unnecessary data processing, cost, and possible confusion in downstream actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The line 'Load when handling pricing strategy, profit estimation, or listing reference tasks' is broad enough that 'listing reference tasks' could match generic requests unrelated to Amazon seller analytics. Over-broad activation can cause the agent to invoke this skill in contexts where users did not intend Amazon-focused research, increasing the chance of irrelevant tool use, unnecessary data exposure to third-party APIs, or misleading responses based on the wrong domain.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill reads API credentials from a local config.json in the skill directory without clearly disclosing that local sensitive files may be accessed. In agent environments, undisclosed credential-file access is risky because users may not expect the tool to inspect local files for secrets, and those credentials are then used to authenticate outbound requests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends user-supplied product, category, ASIN, and review-analysis inputs to a third-party external API over the network, but there is no explicit privacy or data-transmission warning at the point of use. In an agent setting, silent exfiltration of user-provided business queries or identifiers to an external service is a meaningful security and privacy concern even when HTTPS is used.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The self-check command inspects ~/.apiclaw/config.json for credentials without making that sensitive file access clear in the command help. Even though it only looks for an API key, hidden reads of user home-directory secrets reduce transparency and can violate least-surprise expectations in automated agent contexts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.