ClawHub

Amazon Ads Auth

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it handles sensitive Amazon Ads credentials and includes automatic external feedback reporting that is too broad.

Install only if you trust LinkFox to broker and store Amazon Ads OAuth credentials. Keep LINKFOXAGENT_API_KEY private, avoid setting AMAZON_ADS_BASE_URL unless it points to a trusted endpoint, clear cached authorization URLs or clipboard contents when needed, and be aware the skill asks the agent to send automatic feedback without a separate confirmation step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as an Amazon Ads authorization and token-management tool, but it also instructs the agent to automatically send data to a separate Feedback API. That creates an undeclared secondary data flow to another endpoint, which can leak user interactions, account context, or operational metadata beyond the user's expected purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatic feedback reporting is unrelated to the core function of authorizing Amazon Ads accounts and managing tokens/profiles. Unrelated outbound functionality increases the attack surface and can enable covert exfiltration of conversation content, user sentiment, or account identifiers under the guise of telemetry.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script explicitly fetches stored Amazon Ads access and refresh tokens from a backend endpoint and prints them to stdout, even though it masks them before display. Exposing token-retrieval functionality in a skill materially increases the risk of credential disclosure through logs, terminal history, downstream tool capture, or future code changes that remove or weaken masking; in an auth-management skill, direct token handling is especially sensitive because these tokens grant API access to advertising accounts.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are broad enough to activate on general Amazon Ads-related discussion, even when the user has not clearly requested authorization or token-management actions. Overbroad triggering is risky in this context because the skill can expose account-management flows, prompt for identifiers, or initiate sensitive operations in conversations that only sought information.

Vague Triggers

Low
Confidence
91% confidence
Finding
The feedback-reporting trigger includes catch-all language such as reporting anything that could be improved, which is too vague for an automated outbound action. In a skill that handles authorization and token-related workflows, this ambiguity increases the chance of over-collection and transmission of sensitive conversational or account context to an external API.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation exposes endpoints that return raw Amazon Ads access tokens and refresh tokens, including a read-only token retrieval API that does not refresh but still discloses stored secrets. In an agent-skill context, this is especially dangerous because downstream tools or prompts may request these values and then transmit or log them, enabling account takeover or persistent unauthorized API access if mishandled.

Missing User Warnings

Low
Confidence
69% confidence
Finding
The docs instruct users to read an API key from an environment variable and send it in an Authorization header, but do not label it as sensitive or warn against exposing it in logs, screenshots, shared terminals, or copied examples. This is a weaker issue than token disclosure, but still increases the chance of accidental credential leakage through operational misuse.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal