ClawHub

amazon-sorftime-research-reviews-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only Amazon review analysis workflow that clearly uses a Sorftime API key, calls Sorftime, and saves review reports locally.

Install only if you are comfortable letting the agent read your Sorftime API key, send the ASIN/site to Sorftime, and keep raw product/review responses plus reports on disk. Use a dedicated revocable API key, review generated curl commands before execution, and delete raw data files when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs reading a local `.mcp.json` file to extract an API key, which expands access beyond review analysis into local secret retrieval. Even if intended for legitimate API use, embedding credential-discovery behavior in the skill creates unnecessary secret exposure risk and could normalize exfiltration of local configuration data.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill directs use of shell commands and raw `curl` requests, granting broad execution and network capabilities not tightly constrained by the stated business purpose. This increases the attack surface because command execution and arbitrary HTTP requests can be repurposed to access local data, invoke unintended endpoints, or persist sensitive outputs to disk.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The design doc specifies a multi-step workflow that fetches external product/review data and persists several intermediate files, which expands operational behavior beyond a narrowly described 'review analysis' function. This is dangerous because users may invoke the skill expecting transient analysis, while the agent actually performs broader collection and storage of third-party content, increasing privacy, compliance, and data-retention risk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill instructs saving raw review SSE responses to local files without warning users that these files may contain customer-generated content and related metadata. Persisting raw responses increases retention and secondary-use risk, especially if report directories are broadly accessible or retained longer than necessary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill tells the agent to read an API key from `.mcp.json` and include it directly in outbound requests, but provides no user-facing notice or safeguards for credential handling. This is dangerous because local secret access combined with network transmission can leak credentials through logs, command history, filesystem artifacts, or misuse by modified downstream steps.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document says the agent will save raw review content, parsed data, sentiment statistics, analysis outputs, and a final report to disk, but it does not indicate that third-party review text and derived artifacts will be retained locally. Silent persistence is risky because it can create undisclosed data stores containing potentially sensitive or regulated marketplace content, which may later be exposed, reused, or retained longer than intended.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The design describes using curl/API calls to obtain review data without warning users that the skill will make external network requests and transmit request parameters such as ASIN and site information to a third-party service. Undisclosed outbound traffic matters because it changes the trust boundary, can leak usage patterns or business intelligence, and may violate user or organizational expectations about local-only analysis.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal