ClawHub

Amazon Product Top Reviews API

Security checks across malware telemetry and agentic risk

Overview

This is a coherent API helper for JustOneAPI Amazon review lookups, with the main caution that its API token is placed in the request URL query string.

Install only if you trust JustOneAPI and are comfortable providing a token for this service. Use a scoped or low-privilege token if available, avoid logging full request URLs or command lines, and rotate the token if you suspect it was exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill defines the API authentication token as a query parameter and injects it into the request URL. Query-string credentials are commonly exposed through logs, browser/history layers, proxy infrastructure, monitoring tools, and error telemetry, making accidental credential disclosure more likely even when HTTPS is used.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API requires an authentication token to be supplied in the URL query string, which is commonly logged by clients, proxies, browser history, observability tools, and upstream servers. This increases the chance of credential leakage and unauthorized reuse of the token even if the transport itself uses HTTPS. The skill context does not justify this design choice, and because this is an interface definition, downstream integrators are likely to propagate the insecure pattern into production use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documents the API authentication token as a query parameter, which is a real security weakness because query strings are commonly recorded in browser history, reverse-proxy logs, monitoring systems, and upstream server logs. In an agent/integration context, this increases the chance of credential leakage through routine request logging or telemetry, enabling unauthorized reuse of the token.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal