ClawHub

Amazon Refund & Price Tracker Agent

Security checks across malware telemetry and agentic risk

Overview

This Amazon assistant is mostly coherent, but it gives an AI-planned browser agent broad access to inspect and act on webpages beyond the Amazon-focused purpose.

Review before installing. Use it only on intended Amazon pages, inspect every confirmation carefully before approving, avoid enabling auto-send, use a dedicated low-privilege AI API key, verify the configured endpoint, and clear extension storage/artifacts after handling sensitive orders or messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This code delegates action planning to an external LLM using the user's goal plus loaded skill metadata, then converts the model output into privileged browser actions. Even though there is a per-step confirmation gate later, the capability set is broad and includes navigation, DOM extraction, typing, clicking, script execution, and screenshots, which creates a powerful prompt-driven automation surface for sensitive browsing contexts.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The runtime can navigate tabs, inject content scripts, extract DOM data, click, type, execute page actions, capture screenshots, and store artifacts, while also supporting skill expansions for Amazon orders, contact flows, and form filling. In the absence of a clearly limited purpose or strict policy boundaries, this is an over-privileged agent design that could be abused to collect sensitive data or perform user-impacting actions across live sessions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The panel explicitly loads and saves an API key via chrome.storage.local, introducing credential handling into the extension UI. Persisting secrets in extension storage increases exposure to other extension components, debugging artifacts, backup/sync workflows, or future code paths that may leak the value, and the code shown provides no justification, lifecycle controls, or user warning around this sensitive storage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The planner sends the user's goal and skill context to a remote endpoint configured in local storage, but this file shows no notice, consent flow, or minimization before transmission. That creates a privacy and data-governance risk because user instructions may contain sensitive information and the skill registry can reveal available capabilities to the external service.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code retrieves an API key from extension local storage and uses it to authorize requests to an arbitrary configured endpoint, with no visible disclosure or trust boundary controls in this file. While use of an API key is not inherently unsafe, combining secret handling with silent remote transmission and endpoint configurability increases the risk of misuse, accidental exfiltration, or sending data to an untrusted service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `browser.type_message` tool can populate a visible chat/message input and, when `autoSend` is enabled, automatically click a detected send button without any user confirmation, allowlist, or origin restriction. In an agent skill context, this creates a real risk of unintended outbound communication, including sending sensitive user-provided or model-generated content to third-party sites or support chats.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The UI explicitly asks the user to enter an API key but provides no warning about where that credential will be stored, how it will be transmitted, or what trust boundary it crosses. In an agent skill context, users may reasonably paste sensitive keys into a panel that can forward them to extension code or remote endpoints, increasing the risk of inadvertent credential disclosure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code writes apiKey directly into chrome.storage.local with no visible warning, consent flow, retention limit, or security boundary enforcement. If any other privileged extension context is compromised or logs/debug tooling expose storage contents, the persisted credential can be stolen and abused for unauthorized API usage and billing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is explicitly designed to navigate Amazon's contact flow and type a user-provided message, and the presence of an `auto_send` parameter means it may also trigger outbound communication. Because the manifest contains no explicit user-consent gating, warning, or scope restriction around sending messages to a third party, it creates a real risk of unintended external communication, spam, or unauthorized seller/customer contact.

Vague Triggers

Low
Confidence
83% confidence
Finding
The skill can operate on Amazon order detail pages, contact pages, and messaging flows, but the manifest does not define clear invocation constraints, caller trust boundaries, or allowed domains/contexts beyond broad browser tool access. That underspecification increases the chance of the skill being invoked in the wrong workflow or with attacker-controlled inputs, enabling unintended actions on sensitive order and messaging interfaces.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill is designed to fetch Amazon order details, including ASIN and buy price, from a caller-supplied URL, which can expose sensitive purchase information without any indication of user notice, consent flow, or domain restriction. The note that production uses a fetch against detailsUrl increases risk because an unvalidated URL could enable retrieval of sensitive order data from arbitrary endpoints or unintended internal/proxied resources, depending on the runtime environment.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The manifest explicitly advertises an option to open the first order details link, which introduces a page-navigation side effect beyond passive scraping. Because the skill description, notes, and schema do not clearly warn users that enabling this option will cause navigation or interaction on a sensitive e-commerce account page, a caller may trigger unintended browsing actions and expose additional account data or alter workflow state.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This skill is explicitly designed to export evidence packages containing screenshots and DOM snapshots, which can capture sensitive page content such as personal data, credentials, case details, or internal application state. The manifest contains no indication of user-facing notice, consent, scoping constraints, or redaction controls, so use of the skill could lead to inadvertent collection and export of sensitive information.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill is explicitly designed to capture screenshots and DOM snippets, which can include sensitive information such as personal data, session-linked content, account details, or hidden page elements. Because the skill definition contains no warning, scoping constraints, redaction behavior, or consent requirements, it increases the risk of unintended collection and exposure of sensitive page data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal