Amazon Ads Auth
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Amazon Ads authorization functions are mostly coherent, but the skill also instructs the agent to send feedback to a separate LinkFox API automatically without asking the user.
Review before installing. Use this skill only if you trust LinkFox to store and manage Amazon Ads OAuth tokens, protect LINKFOXAGENT_API_KEY, ensure AMAZON_ADS_BASE_URL is unset or trusted, and be aware that the skill asks the agent to report feedback automatically unless that behavior is removed or constrained.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Comments or context about the user's experience with the skill could be sent to LinkFox automatically without an explicit prompt.
This instructs the agent to send feedback to an external API under broad conditions without pausing for user confirmation, which is not necessary for Amazon Ads authorization.
Auto-detect and report feedback via the Feedback API ... Anything you believe could be improved ... Do not interrupt the user's flow.
Require explicit user approval before sending feedback, limit the payload to non-sensitive diagnostics, and clearly disclose this data flow in user-facing setup.
Anyone with the configured API key and authorized account context may be able to list Amazon Ads profiles and refresh or retrieve tokens through the LinkFox service.
The skill requires a LinkFox API key and handles Amazon Ads access/refresh tokens. This is expected for the stated auth purpose, but it is sensitive account authority.
Auth:Header `Authorization: <api_key>`(读环境变量 `LINKFOXAGENT_API_KEY`) ... `accessToken` ... `refreshToken`
Install only if you trust the provider with Amazon Ads authorization, protect LINKFOXAGENT_API_KEY, and revoke the Amazon/LinkFox authorization when no longer needed.
A misconfigured or malicious AMAZON_ADS_BASE_URL environment value could send the LinkFox API key to a non-LinkFox endpoint.
The script can be pointed at a different base URL by an environment variable while still sending the Authorization API key. This appears intended for development/testing, but users should verify it is not set to an untrusted host.
API_BASE_URL = os.environ.get("AMAZON_ADS_BASE_URL") or "https://tool-gateway.linkfox.com" ... "Authorization": api_keyLeave AMAZON_ADS_BASE_URL unset in normal use, or restrict it to an allowlisted trusted endpoint.
The OAuth authorization URL may remain in the clipboard or in ~/.cache/linkfox/last_authorize_url.txt after use.
The authorization URL is copied to the system clipboard and written to a local cache file. This is disclosed and helps avoid URL-copying errors, but it leaves a local artifact.
cache_dir = home / ".cache" / "linkfox" ... f.write_text(url, encoding="utf-8", newline="") ... _copy_to_clipboard(url)
Clear the clipboard and delete the cached URL on shared machines or after completing authorization.