Amazon Books
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward book-search skill; users should mainly notice that searches are sent to public book APIs and the advertised local Heardly database is not included in the provided files.
This skill looks safe for ordinary book searches. Before installing, be aware that your search terms may be sent to Google Books and Open Library, and the provided artifacts do not include the advertised local Heardly book database.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Book searches may be visible to Google Books and Open Library as part of normal operation.
The skill sends the user's search query to external book-search providers. This is disclosed and purpose-aligned, but it means search terms leave the local environment.
googleBooksApiUrl: 'https://www.googleapis.com/books/v1/volumes', openLibraryApiUrl: 'https://openlibrary.org/search.json'
Avoid using sensitive personal queries if you do not want them sent to these public services.
Heardly local summaries may not be available, and the skill may rely more on external APIs than the documentation implies.
The code optionally loads a local Heardly database, but the provided file manifest does not include data/books.json despite the documentation advertising a local Heardly database. This is a package-completeness/provenance note rather than evidence of malicious behavior.
const dataPath = path.join(__dirname, 'data', 'books.json');
if (fs.existsSync(dataPath)) {
return JSON.parse(fs.readFileSync(dataPath, 'utf8'));
}Verify the installed package includes any expected local database if local-only results or Heardly summaries matter to you.