ClawHub

Amazon API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Amazon data lookup skill, but its JustOneAPI token is sent in request URLs, so users should handle logs and tokens carefully.

Install only if you are comfortable using a JustOneAPI token for Amazon lookups through api.justoneapi.com. Use a dedicated revocable token, avoid sharing command traces or full request URLs, and treat backend error payloads as potentially sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The API token is sent as a URL query parameter, which is commonly recorded in logs, browser histories, reverse proxies, analytics systems, and error telemetry. Even though the request is sent over HTTPS, placing credentials in the URL increases accidental credential disclosure risk far beyond using an Authorization header or other non-URL secret transport.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The authentication token is sent in the URL query string, which can be exposed through browser history, intermediary proxies, server access logs, analytics tooling, and debugging output. Even when using HTTPS, query parameters are commonly recorded more broadly than headers, increasing the chance of credential leakage and unauthorized API use.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This operation repeats the same insecure pattern of transmitting the API token as a query parameter. That increases the attack surface because every invocation path may leak credentials into logs, monitoring systems, referer-like disclosures in adjacent tooling, or support artifacts.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Placing the product detail endpoint's authentication token in the query string exposes secrets to routine operational logging and URL capture. If a token is leaked, an attacker could invoke the API under the victim's account, consume quota, access data available to that token, or pivot into related workflows.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Using query-string authentication for the top reviews endpoint creates the same credential-exposure risk as the other operations. Because this pattern is present across the skill, the danger is systemic rather than isolated, making accidental token disclosure more likely in normal use and maintenance.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Documenting authentication tokens as query parameters is dangerous because URLs are commonly logged by clients, proxies, web servers, browser history, and monitoring tools, which can expose credentials unintentionally. In an agent skill context, this is more risky because secrets may be propagated through tool traces, prompt logs, or debugging output outside the user's visibility.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal