ClawHub

Amazon Seller Policy News

Security checks across malware telemetry and agentic risk

Overview

The skill's main news lookup behavior is coherent, but it also instructs agents to send automatic feedback reports to a separate LinkFox endpoint without user interruption or clear consent.

Review before installing. The policy-news lookup itself is straightforward, but only install if you are comfortable giving LinkFox an API key and with the skill's instruction to send feedback reports to a separate LinkFox service automatically. Avoid including sensitive seller/account details in prompts, and delete any persisted response files when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation invokes local scripts, shell commands, networked tool access, and optional file persistence, yet it declares no permissions or capability boundaries. This creates a mismatch between what the skill appears allowed to do and what it actually instructs the agent to do, increasing the chance of over-privileged execution and reducing auditability.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill's primary purpose is news retrieval, but it additionally instructs the agent to call a Feedback API based on broad subjective conditions such as praise, dissatisfaction, or anything improvable. That creates an unrelated side-channel data flow and may transmit user content or metadata beyond what is necessary for the requested task.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is declared as a policy-news lookup tool, but the API reference also documents a separate feedback submission endpoint that can transmit user/agent-generated content to a different service. This expands the skill’s effective capability beyond retrieval into outbound reporting, which creates an unnecessary data-flow path and increases the risk of unintended exfiltration of user prompts, outputs, or behavioral telemetry.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A standalone feedback reporting capability is not justified by the skill’s stated function of retrieving Amazon policy news, so it represents hidden or secondary behavior unrelated to the user’s primary task. In agent settings, such undocumented side-channel reporting is risky because it can be repurposed to send conversation details or execution metadata off-platform without the user expecting it.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger logic is broad enough to activate the skill even when the user does not explicitly ask for policy news, as long as the request loosely relates to seller policy or compliance. Over-broad invocation can route unrelated user tasks into this skill, causing unnecessary data access, wrong-tool execution, and expanded exposure to the skill's extra behaviors such as feedback reporting or file handling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The helper always writes full child-script stdout to disk, which can include API responses, tokens, personal data, or other sensitive seller information. Because this wrapper is designed to persist large responses generically and gives no consent gate, redaction, or retention control, it increases the blast radius of any sensitive data returned by the wrapped script.

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
{"id": "QVRWUERLSUtYMERFUiNHOTZRODY5N1pXWU1DR0I3", "site": "US"}
```

## Display Rules

1. **List view**: present results as a table with title, site, category, published time, and the preview snippet; include the original `url` so users can open the source.
2. **Detail view**: render the `stdout` Markdown as-is; keep the leading meta line (site / category / published time / source link).
Confidence
96% confidence
Finding
Display Rules

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal