Keyapi Amazon Ecommerce

Security checks across malware telemetry and agentic risk

Overview

This is a coherent KeyAPI Amazon research helper, but users should manage its local token and cache files carefully.

Install this only if you intend to use KeyAPI's remote MCP service. Prefer setting KEYAPI_TOKEN as an environment variable, check or delete any .env file created by the runner, use --platform amazon, and use --no-cache or remove .keyapi-cache if the research results are sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs users to persist responses locally in `.keyapi-cache/` without warning that product, seller, review, and influencer data may be stored on disk for later access. Local caching can create unintended data retention, expose potentially sensitive business research or account-linked data to other local users/processes, and increase breach impact on shared systems.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script prompts for a sensitive API token and silently persists it to a local .env file after entry. Storing credentials without clear prior notice can lead to accidental long-term secret exposure through insecure filesystem permissions, backups, or later inclusion in source control.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal