Skillv1.0.0

ClawScan security

Amazon Brand Tailored Promotions · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 9, 2026, 9:10 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only advisory tool for Amazon promotions and its declared requirements are proportionate to that purpose, but provenance is weak and the runtime instructions are somewhat vague about what 'research' entails.
Guidance: This skill appears coherent for giving Amazon promotion advice: it asks questions and returns recommendations and does not request credentials. Two practical cautions before installing or running it: (1) provenance — the registry entry lacks a homepage and the owner ID is opaque; prefer skills from known publishers or with a verifiable homepage. (2) the SKILL.md suggests installing via `npx skills add nexscope/amazon-brand-tailored-promotions` — running npx will download and execute code from the npm ecosystem, so only run that if you trust the package/source. Also be aware the skill’s 'research' step is vague and could cause the agent to access external web resources or prompt you for business data (sales, ASINs, etc.); avoid sharing sensitive credentials (Amazon Seller API keys, AWS keys, or raw PII) unless you confirm the skill legitimately needs them. If the skill later asks for Amazon/SP-API credentials, installation of binaries, or access to local files, re-evaluate — those would be disproportionate to an advisory skill and increase risk.

Purpose & Capability: okName/description (Amazon promotions, audience targeting, discounts) align with the content of SKILL.md — it's an advisory skill that collects user input, asks a follow-up, and returns actionable recommendations. It does not request unrelated credentials or binaries.
Instruction Scope: noteInstructions are high-level: collect user info, ask one multi-choice follow-up, 'research and analyze', then return structured output. They do not instruct reading local files, environment variables, or contacting external endpoints explicitly, but the ambiguous 'research' step could cause an agent to browse the web or call external APIs depending on platform policies.
Install Mechanism: noteNo install spec is present in the registry metadata (instruction-only), but SKILL.md shows an npx install command. Running npx would fetch code from npm — that is not part of the published registry spec here and carries the usual caution of executing third-party packages. The skill itself does not automatically download or install anything when evaluated as-is.
Credentials: okThe skill declares no required env vars, no credentials, and no config paths. That is proportionate for an advisory/promotions planning skill that does not integrate directly with Amazon APIs.
Persistence & Privilege: okalways is false and there are no install-time effects declared. The skill does not request persistent presence or system configuration changes.