ClawHub

amazon-research-reviews-skill

Security checks across malware telemetry and agentic risk

Overview

The skill matches its review-analysis purpose, but it needs Review because it can automatically install a Python package and leave extra local copies of review data without clear disclosure.

Review before installing. Use it only on review files you intentionally select, avoid sensitive or personal data unless you are comfortable with local copies being created, preinstall and pin openpyxl yourself if you need Excel support, and inspect or delete generated prompt/sample/output files before sharing or committing the workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
import openpyxl
        except ImportError:
            print("📦 正在安装 openpyxl...")
            os.system("pip install openpyxl -q")
            import openpyxl

        print(f"🔄 检测到 Excel 文件,正在转换为 CSV...")
Confidence
98% confidence
Finding
os.system("pip install openpyxl -q")

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The prompt mandates emission of a hidden machine-readable <strategic_json> block that goes beyond the visible review-analysis report. This creates a covert secondary output channel that can exfiltrate enriched business intelligence or be consumed by downstream systems without clear user awareness, increasing the risk of data over-collection and unintended automation on sensitive strategic content.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill expands from comment analysis into prescriptive business strategy, execution directives, and ROI planning, which exceeds the stated review-analysis scope. This scope creep can cause downstream agents or users to over-trust speculative strategic recommendations as grounded analysis, and it increases the sensitivity of generated outputs by transforming raw reviews into actionable commercial strategy.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The utility persists both the generated AI prompt and sampled CSV review data to local files, which can unintentionally create a secondary data store containing potentially sensitive customer content. In a review-analysis skill, silently exporting or retaining samples increases privacy and data-handling risk, especially if the host environment is shared, monitored, or lacks retention controls.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill metadata says analysis quantity must be collected via AskUserQuestion before execution, but the controller silently defaults ANALYSIS_COUNT to 100 and continues. This bypasses an explicit user-consent/control requirement and can cause unintended processing volume, cost, or data handling without the required interaction step.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The processor performs dependency installation during normal file handling, which is outside the stated purpose of parsing CSV/Excel review data. This creates unexpected side effects: network egress, code retrieval from package indexes, and execution of installer logic, all of which are risky in an agent skill that may process untrusted user-supplied files. The skill context makes this more dangerous because users would not reasonably expect file analysis to mutate the environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly states that raw review data and derived analysis artifacts will be written to output files, but it provides no warning about privacy, retention, or handling of usernames and other potentially identifying fields. In a skill that processes user-generated content at scale, this increases the risk of unintended storage, sharing, or downstream exposure of personal or sensitive data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly preserves original review data and generates labeled outputs, but it gives no privacy or data-handling warning. If review files contain usernames, free-text personal data, or sensitive customer content, the skill may replicate that information into multiple derivative files and increase exposure, especially on shared workstations or repos.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code prints the constructed prompt containing CSV headers and sample review rows directly to stdout for external AI use, which can leak potentially sensitive review data into terminal logs, CI logs, shell history capture, or screen recordings. Because the content is explicitly meant to be shared with an AI, this creates a real data-exposure path without any warning, redaction, or consent gate.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Writing sampled CSV data to a local JSON debug file creates an unannounced copy of potentially sensitive review text on disk. This expands the attack surface through leftover artifacts, accidental commits, backups, or access by other local users/processes, which is especially risky in data-analysis workflows handling customer-generated content.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The controller writes CSV-derived review content into prompt files on disk, creating an intermediate export of potentially sensitive or proprietary review data. In the skill context, this is more concerning because e-commerce reviews may contain personal data, order details, or other user-generated content that operators may not expect to be persisted outside the source CSV.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The extract action emits full review bodies as JSON to stdout, which can disclose potentially sensitive or regulated text content to logs, calling processes, or downstream tools without any explicit consent or warning. In an AI-driven review-analysis skill, this is more dangerous because raw user-generated content may include personal data, contact details, or other unexpected sensitive information and is likely to be forwarded into additional systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script logs formatted review content to stdout during processing, which can expose potentially sensitive user-generated text in terminal history, CI logs, or centralized logging systems. In a review-analysis skill, review bodies may contain names, contact details, order references, or other personal data, so indiscriminate logging increases privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal