ClawHub

Amazon Search

Security checks across malware telemetry and agentic risk

Overview

This skill can search Amazon, but it also includes under-disclosed browser stealth, cookie/session handling, debug page captures, and an unsafe shell execution path.

Review carefully before installing. Prefer waiting for a version that removes shell interpolation, raw cookie output, browser stealth settings, and automatic debug/session persistence. If you still use it, run it in a disposable sandbox, avoid authenticated Amazon sessions, use only trusted proxies, and treat generated cache/debug files and terminal logs as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill declares environment and network-dependent behavior but does not expose an explicit permissions model, which can cause consumers to underestimate what the skill can access or transmit. In this context, the skill uses Playwright, proxies, remote package installation, and local persistence, so the omission materially weakens informed consent and review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose understates materially sensitive behaviors: image downloading, cookie/session handling, debug artifact creation, and extra management utilities. This mismatch is dangerous because operators may run the skill believing it only performs a simple search, while it can persist cookies, HTML, screenshots, and other data locally, expanding both privacy and credential exposure risks.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code builds a shell command string with user-controlled input (`keyword`) and executes it via `execSync`. Although the keyword is wrapped in quotes, it is not safely escaped, so crafted input containing shell metacharacters or quotes can break out of the intended argument and lead to command injection. In the context of an Amazon search skill, spawning a shell is unnecessary and materially increases risk.

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The `--output` parameter lets a user direct results to any filesystem path via `path.resolve(outputDir)`, allowing writes outside the intended `results/` directory. If this script runs with elevated privileges or in an automation context, an attacker could overwrite or place files in sensitive locations, violating the documented storage boundary.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file goes well beyond a normal Amazon product search helper: it explicitly launches a headless browser to obtain Amazon cookies, uses anti-detection flags, spoofs browser fingerprinting signals, and exposes the harvested cookies for reuse on the CLI. In the context of a skill whose stated purpose is product search and caching, collecting session cookies with stealth behavior is suspicious and can enable unauthorized scraping, session abuse, or evasion of platform defenses.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The launch configuration contains numerous browser-evasion flags such as disabling AutomationControlled, web security, sandboxing, and other browser features specifically to reduce detection. For a product search skill, these capabilities are unnecessary and materially increase the risk that the skill is intended to bypass anti-bot controls or operate deceptively against Amazon.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The injected init script alters navigator.webdriver, window.chrome, permissions, plugins, and languages to spoof fingerprinting signals and conceal automation. That is not required for ordinary search functionality and is a classic stealth pattern used to evade bot detection, making the skill more dangerous in context.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script saves a full-page screenshot and complete HTML snapshot to local disk during execution. Those artifacts can capture account state, cookies in markup, personalization, addresses, or other page data unrelated to the stated purpose of returning structured product search results, creating unnecessary data retention risk.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code stores browser cookies and user-agent data in a local session cache, which goes beyond the documented behavior of caching search results. Persisted cookies can contain authentication or tracking state and may be reused, exfiltrated by other local processes, or inadvertently retained longer than users expect.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
On failure, the script writes full-page screenshots and raw HTML to disk, which may capture sensitive content such as account information, recommendations, geolocation hints, or anti-bot challenge pages. This creates an undocumented data-at-rest exposure and broadens collection beyond the stated purpose of returning search results.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script injects anti-detection and fingerprint-evasion logic, including hiding webdriver indicators and spoofing browser properties. While not a direct exploit against the host, this is risky because it enables deceptive automation behavior inconsistent with the stated search-only purpose and can facilitate policy evasion or scraping abuse.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The module fetches arbitrary attacker-influenced URLs and can optionally route them through a proxy, with browser-like headers and spoofed referers intended to increase fetch success. In an agent skill whose stated purpose is Amazon product search, this materially expands capability into general outbound network access and creates SSRF-style risk, internal network probing, and unauthorized fetching of non-Amazon resources.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The skill auto-saves results and caches to disk but does not clearly warn that search queries and product data will persist locally. While not an immediate code-execution issue, this creates a privacy and data-retention risk, especially on shared systems or when searches contain sensitive business research terms.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This finding reflects the same core issue as the child-process execution: user-controlled data is inserted into a shell command without safe argument separation. Lack of warning is not the main problem; the dangerous part is that a search keyword or proxy string can potentially alter the executed command and achieve arbitrary command execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Writing a full HTML snapshot to disk without warning or consent creates a privacy and data-handling issue because the page may contain session-dependent or personalized content. In this skill's context, persistent storage of the entire page exceeds what is necessary for search results and increases the chance of unintended disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Persisting cookies to disk without notice is a real privacy and security issue because cookies can encode session state, identifiers, and tracking information. In a scraping skill, this is more dangerous because users would reasonably expect cached results, not durable browser session material.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Saving raw HTML and screenshots during error handling can preserve far more data than intended, including search history, challenge pages, account UI elements, and other page content unrelated to the requested output. The lack of warning or opt-in makes this an unnecessary and potentially sensitive data collection path.

External Script Fetching

High
Category
Supply Chain
Content
Install [Bun](https://bun.sh) runtime:

```bash
curl -fsSL https://bun.sh/install | bash
```

Install skill dependencies:
Confidence
98% confidence
Finding
curl -fsSL https://bun.sh/install | bash

Chaining Abuse

High
Category
Tool Misuse
Content
Install [Bun](https://bun.sh) runtime:

```bash
curl -fsSL https://bun.sh/install | bash
```

Install skill dependencies:
Confidence
97% confidence
Finding
| bash

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal