Amazon Product Fetcher

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Amazon product-page fetcher with disclosed outbound web access and no evidence of credential access, persistence, or destructive behavior.

Use this for individual public Amazon product lookups. Before installing, understand that running it will contact Amazon and may be blocked by CAPTCHA or Amazon anti-scraping controls; avoid setting --marketplace or AMAZON_MARKETPLACE to non-Amazon or untrusted hosts.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documentation states it fetches Amazon product pages using Python and a browser-like User-Agent, which implies outbound network access and likely environment-dependent execution despite no declared permissions. Undeclared capabilities are dangerous because they bypass user/operator expectations and permission review, making it easier for a seemingly simple skill to perform unvetted external requests or use runtime environment data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal