ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Review Scraper

v1.0.0

Amazon Review Intelligence — input an ASIN, automatically fetch product reviews via VOC.AI and run Claude AI analysis. Outputs structured VOC report: sentime...

0· 24·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md align with the stated purpose: scraper.py calls VOC.AI APIs and analyze.py calls a local 'claude' CLI to generate VOC reports. Minor inconsistency: registry metadata lists no environment variables, but the scripts expect an optional VOC_TOKEN env var (and the analysis requires a configured 'claude' CLI). Requiring VOC.AI tokens and an AI CLI is coherent with the skill's purpose.
!
Instruction Scope
Runtime instructions and included scripts only fetch reviews from VOC.AI and send review text to the 'claude' CLI for analysis. However analyze.py invokes claude with the flag '--dangerously-skip-permissions' which explicitly bypasses permission safeguards — this is a security-relevant behavior because it may cause the Claude/Anthropic client to transmit data without normal permission checks. The scripts do not read unrelated system files or network endpoints beyond VOC.AI and the local 'claude' binary.
Install Mechanism
There is no declared install spec (instruction-only skill), but scraper.py will auto-install the 'requests' package at runtime if missing (pip install). Auto-installing from PyPI at runtime is common but adds runtime network dependency and writes to disk; be aware code performs pip installs.
Credentials
The only external credentials involved are an optional VOC.AI token (VOC_TOKEN) and whatever credentials the user's local 'claude' CLI requires (Anthropic/Claude). The registry metadata did not declare VOC_TOKEN, which is a small documentation mismatch. No unrelated credentials or system config paths are requested.
Persistence & Privilege
The skill does not request permanent agent presence (always:false), does not modify other skills or system-wide configs, and cleans up its temporary JSON file. No elevated persistence or privilege escalation behavior detected.
What to consider before installing
Before installing or running: (1) Review and be comfortable that review text will be sent to VOC.AI (API endpoint in scraper.py) and to the local 'claude' CLI (which will contact Anthropic services). (2) The analyzer passes '--dangerously-skip-permissions' to the Claude CLI — this bypasses client-side permission prompts and could allow broader data transmission; avoid running with sensitive or PII-containing data unless you trust the target services. (3) The script will auto-install the 'requests' package via pip if missing—run in a virtualenv or sandbox if you prefer isolation. (4) Provide a VOC.AI Team token only if you understand billing/credit implications. (5) If you need higher assurance, run the scripts in an isolated environment, inspect the code, and/or remove or modify the '--dangerously-skip-permissions' usage in analyze.py before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dxkvfmgqm3m6h4xmmgngpk18429jq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments