Skillv1.0.2

ClawScan security

Amazon Best Sellers API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 23, 2026, 3:12 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required token align with its stated purpose (calling JustOneAPI's Amazon Best Sellers endpoint); nothing requested is disproportionate or unrelated.
Guidance: This skill is coherent with its purpose. Before installing: ensure you trust JustOneAPI and the listed homepage; keep JUST_ONE_API_TOKEN secret (do not paste it into chats or logs); be aware the token is passed in the URL/query string and may appear in server logs; restrict the token's permissions if possible and rotate it if exposed; review the provider's pricing/rate limits and privacy policy so you understand what data is sent to the third party.

Purpose & Capability: okName/description, required env var (JUST_ONE_API_TOKEN), required binary (node), and the bundled run.mjs script all match the declared purpose of calling JustOneAPI's GET /api/amazon/get-best-sellers/v1 endpoint.
Instruction Scope: okSKILL.md and bin/run.mjs only ask for the API token and query parameters (category, optional country/page) and perform a single HTTP GET to the documented base URL. The instructions do not request unrelated files, credentials, or system data.
Install Mechanism: okThere is no install spec; the skill includes a small node script (bin/run.mjs). Requiring node is proportionate and no external downloads or archives are used.
Credentials: okOnly JUST_ONE_API_TOKEN is required and is the primary credential for the stated API. No other secrets or config paths are requested. Note: the token is sent as a query parameter (per the API), which can be visible in logs/URLs — the SKILL.md warns against pasting the token into chats or logs.
Persistence & Privilege: okThe skill does not request always: true and does not modify other skills or system-wide settings. It runs only when invoked.