ClawHub
Back to skill

Security audit

Amazon Store Auth

Security checks across malware telemetry and agentic risk

Overview

This skill matches its Amazon store authorization purpose, but it exposes highly sensitive seller tokens in ways users should review before installing.

Install only if you trust LinkFox with Amazon seller authorization data and need this skill to support downstream Amazon seller operations. Do not paste, log, screenshot, or share full access tokens, refresh tokens, authorization URLs, seller IDs, or the LinkFox API key; review whether automatic feedback reporting is acceptable in your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document states that tokens are not exposed to the frontend and should only be accessed through backend interfaces, yet the documented `/spApi/refreshToken` and `/spApi/storeTokens` APIs return access and refresh tokens directly to the caller. In a skill context, that means an agent or client invoking these endpoints can retrieve long-lived credentials, increasing the risk of credential theft, downstream abuse of Amazon SP-API access, and accidental logging or prompt leakage.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The guide presents an API that returns raw Amazon access and refresh tokens and shows how to use them directly, while later advising that tokens should not be exposed to the frontend. That contradiction normalizes unsafe handling of bearer credentials and can lead implementers to surface long-lived tokens to clients, logs, chat transcripts, or browser storage, enabling account takeover of connected seller stores.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly documents retrieval of store access tokens for downstream use but does not warn that these tokens are highly sensitive secrets, nor does it provide guidance on secure storage, redaction, least-privilege handling, or output minimization. In a skill centered on Amazon seller authorization and token management, normalizing token retrieval without precautions increases the chance that downstream skills, logs, or users will expose reusable credentials and enable unauthorized access to seller data.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger language is broad enough to activate on many Amazon seller-account-related requests, including loosely related token or store-management tasks. Over-broad activation is dangerous here because this skill handles sensitive authorization flows and tokens, so unintended invocation can expose credential-management capabilities in the wrong context.

Missing User Warnings

High
Confidence
96% confidence
Finding
These instructions explicitly say to obtain store tokens and pass the accessToken to a downstream skill. Even though later display rules mention masking tokens to the user, there is no strong control boundary, minimization rule, or user warning for inter-skill secret propagation, which raises the risk of credential leakage, misuse, or unnecessary exposure across components.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly defines APIs that return full accessToken and refreshToken values, and even includes a store token query operation that exposes long-lived credentials. In an agent setting, this materially increases the risk of credential disclosure via logs, prompts, downstream tool chaining, or accidental user-visible output; the later note about masking tokens conflicts with the API contract that returns the full secrets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation shows APIs that return raw access and refresh tokens to the caller without strong warnings or constraints around sensitive credential handling. In an agent skill, this is especially dangerous because tokens may be surfaced in chat transcripts, tool logs, observability systems, or reused by other tools, enabling unauthorized access to the seller's Amazon account integrations.

Missing User Warnings

High
Confidence
99% confidence
Finding
The callback example places `access_token` and `refresh_token` in the URL/query string, which can leak through browser history, reverse proxies, CDN logs, referrer headers, analytics tools, and server access logs. Because refresh tokens are long-lived credentials, exposure can allow persistent unauthorized access to Amazon seller integrations and token minting long after the initial callback.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document includes plaintext examples of accessToken and refreshToken values but does not clearly warn that they are sensitive secrets that must never be pasted into chat, tickets, screenshots, logs, or other uncontrolled channels. In an authorization/token-management skill, this omission is materially risky because users may treat the examples as ordinary data and inadvertently disclose credentials that grant API access to Amazon seller accounts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal