ClawHub

Amazon Competitor Spy

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent local Amazon competitor tracking skill, with the main things to notice being that it can use Bash and save ongoing market data under your home directory.

This skill appears safe for its stated purpose if you want a local competitor-tracking workspace. Before installing, be aware that it declares Bash access and will save ASIN watchlists, snapshots, alerts, and reports under ~/amazon-spy/. Do not enter confidential business details unless you are comfortable keeping them in those local files.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Low
What this means

If installed, the agent may be able to run local shell commands while carrying out this skill, even though the documented workflow only needs local file management.

Why it was flagged

Bash is a broad local tool capability. In this artifact it appears aligned with creating and updating the local tracking workspace, and there are no suspicious shell commands or automatic execution instructions.

Skill content
allowed-tools: Bash
Recommendation

Use it only if you are comfortable with the agent having Bash available for this task, and review any command before allowing actions that affect files outside ~/amazon-spy/.

#ASI06: Memory and Context Poisoning
Low
What this means

Your own ASIN, competitor notes, pricing observations, and strategy reports may remain on disk and be available in future sessions.

Why it was flagged

The skill explicitly stores watchlists, historical snapshots, reports, and alerts as persistent local files, which can contain business-sensitive competitor and product-positioning information.

Skill content
Creates `~/amazon-spy/` containing: `watchlist.md`, `snapshots/`, `reports/`, `alerts.md`
Recommendation

Avoid entering confidential strategy details unless you are comfortable storing them locally, and periodically review or delete ~/amazon-spy/ if you no longer need the saved history.