ClawHub

Amazon FBA Finder

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly destructive, but it asks for marketplace API keys and sells real-time Amazon/Alibaba research features that the included code mostly does not implement.

Review before installing or paying. Do not provide real Amazon or Alibaba API keys until the publisher documents credential handling and ships working, scoped integrations. Treat product discovery and supplier recommendations as unproven in this version; the useful implemented portion appears mainly to be local FBA profit calculation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (10)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to provide Amazon and Alibaba API keys but does not disclose how marketplace queries, supplier searches, or related business data may be transmitted to external services. This creates a real transparency and privacy/security risk because users may expose sensitive operational data and credentials without understanding the data-sharing surface.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
pandas>=2.0.0
numpy>=1.24.0
Confidence
96% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
pandas>=2.0.0
numpy>=1.24.0
python-dotenv>=1.0.0
Confidence
96% confidence
Finding
beautifulsoup4>=4.12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
pandas>=2.0.0
numpy>=1.24.0
python-dotenv>=1.0.0
aiohttp>=3.9.0
Confidence
96% confidence
Finding
pandas>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
pandas>=2.0.0
numpy>=1.24.0
python-dotenv>=1.0.0
aiohttp>=3.9.0
Confidence
97% confidence
Finding
numpy>=1.24.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
beautifulsoup4>=4.12.0
pandas>=2.0.0
numpy>=1.24.0
python-dotenv>=1.0.0
aiohttp>=3.9.0
Confidence
95% confidence
Finding
python-dotenv>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=2.0.0
numpy>=1.24.0
python-dotenv>=1.0.0
aiohttp>=3.9.0
Confidence
96% confidence
Finding
aiohttp>=3.9.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
requests

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
82% confidence
Finding
numpy

Known Vulnerable Dependency: aiohttp — 10 advisory(ies): CVE-2024-52303 (aiohttp has a memory leak when middleware is enabled when requesting a resource ); CVE-2026-34514 (AIOHTTP has CRLF injection through multipart part content type header constructi); CVE-2026-34517 (AIOHTTP has late size enforcement for non-file multipart fields causes memory Do) +7 more

High
Category
Supply Chain
Confidence
87% confidence
Finding
aiohttp

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal