ClawHub

Dataify Amazon Comment

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Dataify helper that submits Amazon review collection tasks, with no evidence of hidden or destructive behavior.

Before installing, be comfortable with the skill using a Dataify API TOKEN and submitting Amazon product URLs to Dataify. Confirm the URL and file_name carefully before approving a task, since Dataify usage may consume account quota or trigger paid scraping jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to access a saved environment variable (`DATAIFY_API_TOKEN`) and make outbound network requests, yet no explicit permissions are declared. That creates a transparency and policy-enforcement gap: users and the platform may not be clearly informed that the skill can read local secrets and contact an external service. In this context, the risk is real because the skill is specifically designed to use a bearer token and submit data to a remote endpoint.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill enables implicit invocation, which allows the agent to trigger it without an explicit user request, while the YAML file itself provides no concrete trigger constraints, exclusions, or negative examples. Because this skill can submit external Dataify collection tasks and may use an API token, overly broad invocation increases the risk of unintended task execution, accidental scraping requests, or invocation from loosely related user prompts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal