Amazon Review Scraper
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated Amazon review-analysis purpose, but it runs a nested Claude command with permission checks disabled on internet-sourced review text.
Review carefully before installing. The VOC.AI API use and optional token are expected, but the Claude analysis should be changed to remove --dangerously-skip-permissions, especially because the model prompt includes externally sourced review text.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or prompt-injected review could potentially influence the nested Claude process to act outside the intended report-generation task without normal permission prompts.
The analyzer launches a nested Claude CLI process with permission checks explicitly disabled. Because the prompt includes externally fetched review text, this removes an important approval boundary for a model-driven tool invocation.
subprocess.run(["claude", "--print", "--dangerously-skip-permissions", prompt], capture_output=True, text=True, timeout=120)
Remove --dangerously-skip-permissions, run Claude in a no-tools or tightly allowed-tools mode, and require user confirmation before any tool use beyond producing the report.
A review containing prompt-injection text could distort the analysis or, combined with the disabled Claude permissions, try to redirect the agent’s behavior.
Review titles and bodies fetched from an external service are placed directly into the Claude prompt. The prompt does not clearly isolate that text as untrusted data or instruct the model to ignore instructions inside reviews.
Reviews:\n{reviews_text[:12000]}Wrap review text in clear untrusted-data delimiters, tell the model to ignore instructions inside reviews, and avoid pairing untrusted content with permission-skipping execution.
First run may download and install code from the Python package ecosystem into the user’s environment.
If requests is missing, the skill installs it at runtime without a pinned version. SKILL.md discloses this behavior, and it is related to the stated API-fetching purpose.
subprocess.run([sys.executable, "-m", "pip", "install", "requests", "-q"])
Prefer documenting a pinned dependency or asking the user to install requests in a virtual environment before running the skill.
Using a paid VOC.AI token may consume account credits, and passing tokens on the command line can expose them in shell history or process listings.
The skill can use a VOC.AI API token for more than the free review limit. This is expected for the integration, but the registry metadata does not declare a primary credential or required env var.
Pass via `--token YOUR_TOKEN` or `export VOC_TOKEN=YOUR_TOKEN`
Use VOC_TOKEN or a secret manager instead of command-line tokens, and use a token scoped to the minimum access needed.