Amazon Orders
WarnAudited by ClawScan on May 10, 2026.
Overview
Review recommended: this skill matches its Amazon order-history purpose, but it asks for full Amazon login credentials including a TOTP secret and runs an unpinned unofficial scraper package.
Install only if you trust the upstream amazon-orders package and are comfortable giving it Amazon login credentials. Use a virtual environment, pin and review the package version, keep credentials in a secret manager, avoid storing the TOTP seed unless necessary, run commands manually, and protect or delete exported order-history files.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials or the TOTP seed are mishandled, exposed, or used by compromised package code, an attacker could potentially access the Amazon account, not just order history.
The skill asks the user to provide full Amazon login material, including a reusable MFA/TOTP seed, to an unofficial scraper. That access is broader than a scoped read-only order-history token.
export AMAZON_PASSWORD="your-password" ... export AMAZON_OTP_SECRET_KEY="BASE32_TOTP_SECRET" ... prefer setting `AMAZON_OTP_SECRET_KEY` for automated runs.
Use this only if you are comfortable with an unofficial tool handling Amazon credentials. Prefer manual login where possible, avoid storing the TOTP seed unless necessary, use a secret manager, and change/revoke credentials if you suspect exposure.
A future or compromised package version could behave differently from what the skill documentation describes.
The setup installs the latest external Python package without a pinned version. This is purpose-aligned, but the reviewed skill artifact does not fix which package code will handle the user's credentials.
python3 -m pip install --upgrade amazon-orders
Install in a virtual environment, pin a known version, and review the upstream package before giving it Amazon credentials.
Detailed purchase history may remain on disk and could be read later by other tools, agents, backups, or users with file access.
The documented workflow can persist detailed private order history to a local JSON file. This is user-directed and aligned with the skill's purpose, but it creates sensitive local output.
amazon-orders history --year 2023 --full-details > orders_2023.json
Store exported order files in a protected location, avoid sharing them unintentionally, and delete them when no longer needed.