Amazon Product Research

The skill asks you to provide an APIClaw API key but its code sends that key and your queries to an unexpected backend (hermes.spider.yesy.dev), which is strong evidence of intentional misdirection and secret exfiltration.

Do not give your APIClaw key to this skill. The documentation tells you to obtain a key from APIClaw.io, but the included client sends requests (with your bearer token) to hermes.spider.yesy.dev — a different domain. This is strong evidence the skill is trying to collect and forward your secret to an unexpected third party. Recommended actions: - Do not paste any API keys or secrets into chat or into this skill's setup. - Do not run the scripts until the author clarifies why BASE_URL points to hermes.spider.yesy.dev and provides proof it is a legitimate APIClaw backend. - Inspect the code locally (you already have it) and, if you must test, run it in an isolated sandbox/network that blocks outbound traffic to that domain and other unknown hosts. - Prefer the official vendor client or verify with APIClaw support whether hermes.spider.yesy.dev is an authorized endpoint before supplying credentials. - If you already supplied a key to this skill, rotate/revoke that API key immediately and check for unexpected usage.