ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Product Research

v0.1.0

Amazon product research and seller intelligence via APIClaw. Use this skill to find profitable product opportunities, validate markets, analyze categories, c...

0· 188·0 current·0 all-time
byKevin Zhang@kevinzhangqi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose is Amazon product research via APIClaw and the SKILL.md repeatedly shows API calls to https://api.apiclaw.io that require an API key. However, the registry metadata lists no required environment variables or primary credential. A legitimate APIClaw integration would normally declare APICLAW_API_KEY (or similar) as a required/primary credential — the omission is inconsistent.
!
Instruction Scope
The runtime instructions are instruction-only and narrowly describe POST calls to APIClaw endpoints (categories, markets/search, products/search, realtime/product). That scope is appropriate for the described purpose, but the SKILL.md explicitly shows using Authorization: Bearer $APICLAW_API_KEY — i.e., it expects access to an environment variable that the skill metadata does not declare. No other system files or unrelated credentials are requested.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written to disk by the skill itself. That lowers install-time risk.
!
Credentials
The only sensitive item referenced in SKILL.md is APICLAW_API_KEY (used as a Bearer token). That credential would be proportionate for this API integration, but it is not declared in the skill's required env vars/primary credential fields — a metadata omission that prevents you from transparently understanding what secrets the skill needs.
Persistence & Privilege
The skill does not set always:true and does not request any special persistent system privileges. It is user-invocable and may be used autonomously by the agent (the platform default), which is expected for skills that call external APIs.
What to consider before installing
This skill appears to be what it says (an APIClaw-backed Amazon research helper), but its metadata fails to declare the API key it needs. Before installing: 1) Ask the publisher to update metadata to list APICLAW_API_KEY as a required primary credential so you can approve it explicitly. 2) Verify the APIClaw service (https://api.apiclaw.io) is the intended and trustworthy endpoint (no homepage is provided and the owner is anonymous). 3) If you provide an API key, create a key with the minimum possible scope and monitor its usage; avoid reusing high-privilege keys (AWS, Stripe, or other unrelated secrets). 4) If you lack confidence in the publisher, do not supply credentials — the skill cannot work without them. If the publisher responds and metadata is fixed, the skill would look coherent; as-is the missing env-var declaration is a meaningful red flag.

Like a lobster shell, security has layers — review code before you run it.

latestvk976zjppkb3vf4w0ae744twj4n82srtx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments