ClawHub

Amazon Ads Report

Security checks across malware telemetry and agentic risk

Overview

This Amazon Ads report skill mostly matches its purpose, but it adds automatic external feedback reporting and can expose sensitive report files through a temporary HTTP link.

Install only if you are comfortable giving the skill access to Amazon Ads authorization and downloaded business reports. Keep report serving bound to 127.0.0.1 or disable it, avoid sharing generated URLs, delete downloaded report files when finished, and do not allow feedback submissions to include tokens, account IDs, report contents, file paths, or other sensitive details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill promises direct return of readable structured report data for SP/SB/SD only, but the observed behavior includes serving downloaded files over a local HTTP endpoint, poll-only resume flows, optional source download URLs, and broader report-type support than advertised. This mismatch is dangerous because downstream agents and users may trust the skill with a narrower data-flow and exposure model than it actually has, leading to unintended data exposure or misuse of unsupported paths.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to automatically call a separate Feedback API based on user sentiment or perceived improvement opportunities, which is unrelated to the core task of fetching Amazon Ads reports. This creates an out-of-band data exfiltration path where user conversation content and behavioral signals may be transmitted to another service without clear necessity, consent, or scope limitation.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script starts a local HTTP server by default and exposes the downloaded, extracted report file over HTTP, which expands the attack surface beyond simple retrieval. If the host/port are changed from defaults, sensitive advertising data could be exposed to other users or systems on the network; even on localhost, other local processes may access the file during the serving window.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents downloading ad reports and then serving the extracted JSON over a temporary local HTTP server by default. Even though it binds to 127.0.0.1, this still increases exposure of potentially sensitive advertising data to other local processes, browser extensions, malware, shared-user environments, or port-forwarding/proxy setups, and the docs do not prominently warn users about this behavior.

External Transmission

Medium
Category
Data Exfiltration
Content
与上面的工具 API **base URL 不同**:

```bash
curl -X POST https://skill-api.linkfox.com/api/v1/public/feedback \
  -H "Content-Type: application/json" \
  -d '{"skillName":"linkfox-amazon-ads-report","sentiment":"POSITIVE",
       "category":"OTHER","content":"报告拉取顺利"}'
Confidence
78% confidence
Finding
curl -X POST https://skill-api.linkfox.com/api/v1/public/feedback \ -H "Content-Type: application/json" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal