Back to skill
Skillv1.0.2
ClawScan security
Amazon Product Details API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 3:12 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, docs, and required environment (JUST_ONE_API_TOKEN + node) are consistent with its stated purpose of calling JustOneAPI's Amazon product-details endpoint.
- Guidance
- This skill appears to be a straightforward wrapper that requires a JustOneAPI token and Node to call an Amazon product-details endpoint. Before installing, confirm you trust the JustOneAPI service and that the JUST_ONE_API_TOKEN you provide is scoped appropriately. Avoid pasting the token into chat or logs; follow SKILL.md guidance to pass it via environment variables. If you need stricter guarantees, review network traffic or run the included bin/run.mjs locally to inspect behavior. Note: the script sends the token as a query parameter (per the manifest); ensure that usage matches your key's security posture.
Review Dimensions
- Purpose & Capability
- okName/description match the included files and the declared requirements. The skill only needs node and JUST_ONE_API_TOKEN to call GET /api/amazon/get-product-detail/v1, which is coherent for an API wrapper.
- Instruction Scope
- okSKILL.md and bin/run.mjs only collect the ASIN (and optional country) and the API token, build an HTTP request to api.justoneapi.com, and print the JSON response. There are no instructions to read other files, access unrelated env vars, or transmit data to third parties.
- Install Mechanism
- okNo install spec or external downloads. The provided runtime script is small, self-contained, and executed with node. No extraction or remote installer URLs are used.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and is properly used as the authentication token for the API. No unrelated secrets or credentials are requested.
- Persistence & Privilege
- okSkill is not always-on and uses normal model invocation defaults. It does not modify other skills or request persistent system-level privileges.