Skillv1.0.0

ClawScan security

Amazon FBA Finder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 7:51 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The package and docs claim live Amazon/Alibaba integration and supplier matching, but the registry metadata and included code are inconsistent (API keys are mentioned in docs but not declared as required, and network integration functions are stubbed), so it may not behave as advertised and requires caution before trusting or providing credentials.
Guidance: This package contains sensible modules for FBA analysis, but the README/SKILL.md promise live Amazon/Alibaba integration while the shipped code's search functions are placeholders that return no real results. Before installing or supplying any API keys: 1) don't hand over Amazon/Alibaba credentials unless you verify the code will actually call the expected endpoints (inspect ProductFinder._search_products and SupplierRecommender._search_suppliers implementations or contact the author); 2) treat the current release as mostly a local calculator/analysis library (profit calculations, scenario comparisons) rather than a scraper or API integrator; 3) check the repository/source URL and author identity (homepage/source are 'unknown' or point to placeholder GitHub links in docs) and prefer packages with an upstream repo and active releases; 4) if you plan to run this in production, run the unit tests locally, audit any future network-calling code, and limit API keys to least-privilege credentials (rotate them and use separate test accounts). If you need a tool that actually queries Amazon/Alibaba, verify those integrations are implemented and that API endpoints used are documented and trustworthy.

Review Dimensions

Purpose & Capability: noteThe skill's name, README, and SKILL.md describe product discovery, competition analysis, supplier recommendations and profit calculations; corresponding modules exist (product_finder, competition_analyzer, supplier_recommender, profit_calculator). However the product search and supplier search implementations are clearly placeholders (they return empty lists or framework-only logic) rather than real integrations, so the claimed live data gathering is not actually implemented in the shipped code.
Instruction Scope: concernSKILL.md instructs users to configure AMAZON_API_KEY and ALIBABA_API_KEY and states the tool will 'real-time query Amazon and suppliers', yet the code's network functions are stubbed and the skill metadata does not declare or require those environment variables. The instructions therefore promise network I/O and external API use that the code does not implement; this mismatch is scope-incoherent and could mislead users into supplying credentials for no reason or for later versions that change behavior.
Install Mechanism: okThere is no external install script or URL download; the package is instruction/code-only with a requirements.txt listing common Python libs (requests, aiohttp, beautifulsoup4, pandas, numpy, python-dotenv). That is standard for a Python utility and does not itself introduce an installation red flag.
Credentials: concernThe documentation and examples reference AMAZON_API_KEY, ALIBABA_API_KEY and .env configuration, but registry metadata declares no required env vars and the code treats api_key parameters as optional. This mismatch is disproportionate: either the skill should declare that it requires those credentials (and explain usage), or it should not advertise them. Requiring users to provide API keys (per docs) without clear necessity or proper declaration is a risk.
Persistence & Privilege: okNo 'always: true' flag, no install script that modifies other skills, and no code requesting elevated system privileges or altering other configurations. The skill runs as a normal user-space library.