ClawHub

Dataify Amazon Product

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it helps submit Amazon product collection jobs to Dataify, with token and third-party data-sharing cautions users should understand.

Install only if you intend to use Dataify to submit Amazon product collection jobs. Keep DATAIFY_API_TOKEN private, avoid persistent storage on shared machines, and verify task parameters before submission because jobs are sent to Dataify and may use your account quota or raise site-policy considerations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to retrieve and use a saved API token from DATAIFY_API_TOKEN without any warning about secret handling, scope, masking, or consent. In an agent setting, silently pulling credentials from the environment can lead to unintended secret use, leakage into logs, or use on behalf of a user who did not realize stored credentials would be accessed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends Amazon URLs, keywords, zip codes, and bearer-token-authenticated requests to an external Dataify endpoint, but it does not explicitly warn the user that these inputs will leave the local environment. This is dangerous because user-provided commercial data, location-related data such as zip code, and authentication-backed requests are transmitted to a third party without clear informed consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill can be invoked implicitly, and its trigger description is broad enough that an agent may route loosely related user requests into a web-scraping/data-collection action without clear user intent or tight scoping. In this context, that is risky because the skill submits external Dataify collection tasks against Amazon content, which could cause unintended third-party requests, over-collection, or policy-violating automation from ambiguous prompts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal