ClawHub

amazon-sorftime-research-category-skill

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Amazon category-analysis purpose, but it automatically uses a local Sorftime API credential and sends it in URL-based requests, so it needs user review before installation.

Review before installing. Use a dedicated low-privilege Sorftime key, prefer an environment variable over storing keys in .mcp.json, avoid sharing generated logs/raw response files, and be aware that category queries and business research targets are sent to Sorftime. Open the generated dashboard only if you are comfortable with its external ECharts CDN dependency.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions while its documented behavior clearly requires environment access, file read/write, outbound network calls, and shell execution. This is dangerous because it hides the true capability surface from reviewers and users, undermining informed consent and making it easier for the skill to access credentials, write local artifacts, and transmit data externally without explicit approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The manifest presents the skill as a Markdown category-analysis tool, but the documentation describes broader behavior including automatic credential loading, multiple report formats, raw response persistence, logging, and extra data-processing utilities. This mismatch is risky because users may authorize a seemingly narrow skill while it actually performs wider file, data retention, and processing actions than advertised.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Automatically reading API keys from `.mcp.json` expands the skill's access to local secrets beyond what is necessary to describe category analysis alone. This is dangerous because local credential discovery can expose unrelated secrets, bypass explicit user provision, and normalize silent secret access in a skill that does not prominently disclose that behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template loads executable JavaScript from a public CDN at runtime, which creates a supply-chain and integrity risk: if the CDN, package, or network path is compromised, attacker-controlled code will execute in the report viewer's browser. In this skill context, the HTML also interpolates dynamic report data and renders rich client-side content, so external script execution is unnecessary trust expansion beyond local report rendering.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The referenced API surface extends well beyond the stated Amazon category-analysis purpose of the skill and includes cross-platform data access plus mutating keyword-management operations. This scope expansion increases blast radius: a compromised or overly-permissive skill could perform unintended actions or access unrelated datasets without clear user expectation or least-privilege boundaries.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill reads credentials from the project's .mcp.json, which broadens secret access beyond what a category-analysis workflow strictly needs at runtime. In an agent-skill context, automatically harvesting secrets from project configuration increases the blast radius if the skill is triggered unexpectedly or repurposed, and may expose unrelated project credentials to this workflow.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The natural-language triggers are broad and lack constraints, so the skill could activate for loosely related requests and begin external lookups or local file operations unexpectedly. In this context, unintended invocation matters because the skill also performs network calls, file writes, and credential-related behavior, amplifying the effect of a trigger mistake.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill discloses automatic API key loading from `.mcp.json` but does not provide a prominent user-facing warning that it will access local credentials. This is dangerous because users may not realize the skill reads sensitive local configuration, especially when combined with shell and network capabilities that could misuse or expose those credentials.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented workflow sends category and product query data to an external service without a clear privacy notice or consent step. While the transmitted fields are business data rather than obviously secret, undisclosed outbound transmission is still risky because user inputs, identifiers, and analysis context may be sent to a third party unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation shows an API key being passed in the request URL query string. Query-string credentials are commonly exposed through shell history, logs, proxies, monitoring systems, browser/history artifacts, and referrer-like propagation, so this creates a real credential-handling weakness even if the value shown is a placeholder. In a skill that automates external market-analysis API calls, this pattern increases the chance users will copy it directly into real workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document shows API authentication material passed in the URL query string (`?key=YOUR_API_KEY`). Query-string credentials are commonly exposed through shell history, logs, proxies, monitoring systems, and shared screenshots, so this is a genuine credential-handling weakness even in reference documentation. In this skill context, the examples are likely to be copied directly by users or agents, which increases the chance of accidental key disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Placing the API key in the URL query string can leak credentials through shell history, proxy logs, browser history, observability tooling, and server access logs. Even if TLS protects the transport, many systems routinely record full URLs, making accidental credential disclosure likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script extracts an API key from a local config file and places it directly into the request URL query string. Secrets in URLs are commonly exposed through logs, proxies, browser/history equivalents, monitoring systems, and server access logs, making credential leakage more likely than if the key were sent in an Authorization header or request body.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API key is embedded directly into the request URL after being loaded from .mcp.json or the environment. Secrets in URLs are high-risk because they can be exposed through logs, process listings, proxies, browser/history equivalents, crash reports, and server-side access logs, making credential leakage more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow sends category names, site identifiers, and node IDs to an external Sorftime service without any user-facing consent or warning. In an agent setting, silent exfiltration of user-provided or potentially sensitive business research targets to a third-party service can violate expectations, confidentiality requirements, or organizational policy.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
# 代码示例
def get_api_key():
    # 1. 尝试环境变量
    api_key = os.environ.get('SORFTIME_API_KEY', '')
    if api_key:
        return api_key
Confidence
84% confidence
Finding
os.environ.get('SORFTIME_API_KEY

External Transmission

Medium
Category
Data Exfiltration
Content
### 调用格式
```bash
curl -s -X POST "https://mcp.sorftime.com?key=YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":N,"method":"tools/call","params":{"name":"TOOL_NAME","arguments":{"amzSite":"US","nodeId":"NODE_ID"}}}'
```
Confidence
90% confidence
Finding
curl -s -X POST "https://mcp.sorftime.com?key=YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
#### 步骤 1: 搜索类目获取 nodeId

```bash
curl -s -X POST "https://mcp.sorftime.com?key={API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"category_name_search","arguments":{"amzSite":"US","searchName":"品类关键词"}}}'
```
Confidence
90% confidence
Finding
curl -s -X POST "https://mcp.sorftime.com?key={API_KEY}" \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"category_name_search","argument

External Transmission

Medium
Category
Data Exfiltration
Content
**获取 NodeID 的方法**:
```bash
# 先用大类目搜索,查看返回的子类目列表
curl -s -X POST "https://mcp.sorftime.com?key={API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"category_name_search","arguments":{"amzSite":"US","searchName":"Laptop"}}}'
```
Confidence
88% confidence
Finding
curl -s -X POST "https://mcp.sorftime.com?key={API_KEY}" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
5. **测试 API 连接**:
```bash
curl -s -X POST "https://mcp.sorftime.com?key={YOUR_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"category_name_search","arguments":{"amzSite":"US","searchName":"Kitchen"}}}'
```
Confidence
88% confidence
Finding
curl -s -X POST "https://mcp.sorftime.com?key={YOUR_KEY}" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal