Amazon Fba Finder
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill does not appear destructive, but its advertised live Amazon/supplier research features are largely unimplemented while it also asks for optional API keys.
Review this skill carefully before installing or paying for it. The code shown does not appear to steal data or modify accounts, but the advertised live product and supplier research features look unfinished. Do not rely on its recommendations for business decisions without independent verification, and avoid storing API keys in plain-text agent-readable files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could trust the skill's business recommendations even though the main product-search capability appears not to produce real market data.
The core product discovery path is documented in code as simulated and returns an empty list, which conflicts with the skill's advertised high-profit product discovery and live data claims.
# 模拟产品搜索(实际实现需要对接 Amazon API) ... return opportunities
Treat this as a prototype unless the publisher clearly discloses limitations and provides working, verifiable data integrations.
The skill may overstate its ability to identify suppliers, which could mislead business decisions or subscription purchases.
The advertised supplier recommendation feature is also a stub that returns no suppliers, despite the README/SKILL presenting it as a working Alibaba/1688 supplier matching system.
# 实际实现需要调用 Alibaba API 或爬虫 ... return []
Verify that supplier data is actually fetched from legitimate sources before relying on this feature.
API keys are sensitive; putting them in a prompt-visible file such as TOOLS.md could expose them more broadly than intended.
The skill asks for Amazon and Alibaba API keys, but the registry metadata declares no required environment variables or primary credential.
在 `TOOLS.md` 或环境变量中配置 API 密钥: AMAZON_API_KEY=your_amazon_api_key ALIBABA_API_KEY=your_alibaba_api_key
Use environment variables or a secret manager instead of plain-text prompt files, and grant only the minimum API scopes needed.
Future dependency versions could change behavior or introduce supply-chain risk, although these packages are common and purpose-aligned.
The README tells users to install these dependencies, but the versions are lower-bounded rather than exactly pinned.
requests>=2.31.0 beautifulsoup4>=4.12.0 pandas>=2.0.0 numpy>=1.24.0 python-dotenv>=1.0.0 aiohttp>=3.9.0
Install in an isolated environment and prefer a reviewed lockfile or pinned dependency set for production use.