v1.0.0

amazon-sorftime-research-MCP-skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:32 AM.

Analysis

The skill matches its stated Amazon competitor-analysis purpose, but users should expect Sorftime API use, an API key, and local Markdown report files.

GuidanceBefore installing, make sure you trust the Sorftime service and publisher, protect the API key in .mcp.json, and expect generated reports to be saved under reports/ with potentially sensitive business analysis.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

所有数据需通过 curl POST 请求获取 ... 保存位置: 项目目录/reports/ ... Write $FILENAME

The skill instructs the agent to use curl for external API calls and the Write tool to create report files. This is disclosed and central to the stated analysis/reporting purpose.

User impactWhen invoked, the agent may contact Sorftime and create Markdown files in the project reports directory.

RecommendationUse it only in projects where external product-data lookups and local report creation are acceptable, and keep report paths within the documented reports/ directory.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The registry metadata provides limited provenance, although the package contains only instructions and reference documents rather than executable code.

User impactUsers have limited publisher/source information to verify before trusting the instructions and external service configuration.

RecommendationConfirm that the publisher and Sorftime endpoint are acceptable before adding an API key or using the workflow.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

README.md

"url": "https://mcp.sorftime.com?key=YOUR_API_KEY"

The skill requires a Sorftime API key to access the data service. This is expected for the integration, but it uses the user's account/API quota and should be handled as a secret.

User impactA configured Sorftime key may be used for the skill's product, review, keyword, and trend requests.

RecommendationStore the API key securely, avoid committing .mcp.json to source control, and rotate the key if it is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityInfoConfidenceHighStatusNote

SKILL.md

本分析使用 Sorftime MCP 服务获取亚马逊数据。Sorftime MCP 是一个流式 HTTP 服务，使用 Server-Sent Events (SSE) 协议返回数据。

The skill discloses a third-party MCP/SSE data flow. The documented requests are purpose-aligned product queries, not broad local data sharing.

User impactSorftime will see the ASIN/site queries and any API requests made through the configured key.

RecommendationVerify that Sorftime is an acceptable data provider for your use case and avoid putting confidential business details into API parameters unless necessary.