ClawHub

Dataify Amazon Global Product

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Dataify integration that submits user-confirmed Amazon collection jobs and does not show hidden or destructive behavior.

Install only if you intend to use Dataify for Amazon product collection. Before running it, confirm the submitted table of parameters, understand that those parameters are sent to Dataify, and keep DATAIFY_API_TOKEN private and revocable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly instructs access to environment variables and outbound network requests, but no declared permissions are present. This creates a mismatch between the skill's stated behavior and its security model, reducing transparency and preventing proper consent/review for sensitive capabilities like token access and external submission.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill directs the agent to read a saved API token from the environment and use it automatically, but it does not warn about credential sensitivity, scope, storage risks, or confirmation before use. In an agent setting, silent reuse of stored secrets can lead to unintended disclosure or unauthorized third-party actions on behalf of the user.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends user-provided Amazon URLs, keywords, brands, and related parameters to an external Dataify endpoint without a privacy notice or explicit acknowledgement that this data leaves the local environment. Even if the data seems routine, it may reveal commercial intent, research interests, or proprietary targeting criteria when transmitted to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal