!
Purpose & Capability
The skill's name/description (Amazon price/refund workflows) match the included code and skill JSON files. However the extension's manifest grants host_permissions: "<all_urls>" (and uses chrome.scripting.executeScript to inject content scripts into arbitrary tabs). That breadth is disproportionate to an Amazon-only tool: the SKILL.md lists only Amazon requirements, but the code can access pages beyond Amazon and therefore can read or manipulate unrelated sites.
!
Instruction Scope
SKILL.md tells the user to load the MV3 extension and to provide an OpenAI endpoint/key in the panel. The runtime instructions and code perform extensive DOM scraping, screenshots, IndexedDB storage of artifacts, and can inject scripts. Those actions are consistent with an Amazon automation tool, but the extension will extract arbitrary page content (not limited to Amazon) and the panel encourages saving an API key that will be used to call the configured LLM endpoint — meaning potentially sensitive page data could be sent off-device to that endpoint.
✓
Install Mechanism
No external install script or remote downloads are used; the package is an MV3 extension with all source files included. This is lower risk than an install spec that pulls arbitrary code from the internet. No external binary or archive downloads are present.
!
Credentials
The skill declares no required environment variables, but the UI asks users to enter an API endpoint and API key (stored in chrome.storage.local). The manifest also includes host_permissions: "<all_urls>" and access to api.openai.com. Asking for a long-lived LLM API key and granting access to all URLs is more privilege than an Amazon-only refund/price tracker should need; the extension can send collected DOM/screenshots to the configured endpoint.
ℹ
Persistence & Privilege
always:false (not force-included) and no claims of modifying other skills. However the extension runs a service worker and will inject content scripts into tabs on demand (via chrome.scripting.executeScript). Combined with broad host permissions, this gives it the persistent ability to run in arbitrary pages while enabled — not inherently malicious, but increases blast radius.
Scan Findings in Context
[system-prompt-override] unexpected: A prompt-injection pattern was detected in SKILL.md. The extension constructs and sends a system prompt to the configured LLM (background.planWithLLM). Using system prompts for planning is expected here, but the presence of prompt-override patterns in SKILL.md and code that directs a planner LLM to return tool-call JSON means a compromised or malicious planner endpoint, or misuse of the user's API key, could cause unexpected behavior. This finding should be reviewed carefully.
What to consider before installing
This extension contains code to scrape Amazon pages, take screenshots, store artifacts locally, and call a configurable LLM endpoint using an API key you provide in the UI. Before installing: (1) only proceed if you trust the extension source — the package requests wide host permissions (<all_urls>) which allows injection and data reading on any page, not just Amazon; (2) do not paste your primary OpenAI (or other) API key into the panel unless you trust the endpoint and author — prefer a dedicated, limited-scope key; (3) inspect the extension code yourself (or ask someone to) to confirm there are no outbound data exfiltration calls beyond the planner fetch; (4) if you must use it, restrict the endpoint to the official provider URL (e.g., api.openai.com) and consider revoking the key after use; (5) prefer an alternative that limits host_permissions to Amazon domains. These mismatches (broad permissions + ability to send scraped data to an external LLM) are the reason this package is flagged as suspicious.
