Skillv1.0.0

ClawScan security

Amazon Orders · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:34 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (scraping your Amazon order history) is coherent with the tools and credentials it asks for, but there are inconsistencies and sensitive requirements (an OTP secret declared as required by the registry though the documentation says it's optional) that warrant caution before installing and supplying credentials.
Guidance: This skill appears to be what it claims (a wrapper around the unofficial amazon-orders Python package), but you should be cautious about supplying credentials. Key points to consider before installing or enabling it: - The registry metadata marks AMAZON_OTP_SECRET_KEY as required, but the SKILL.md says the OTP/TOTP secret is optional for accounts with MFA — ask the publisher or registry maintainer to clarify whether the OTP secret is mandatory. - Never store your Amazon password or OTP secret in plaintext where you don't control access. Prefer interactive login or a secure secrets manager (Vault, 1Password, GitHub Actions secrets) and avoid placing long-lived OTP secrets in environment variables unless you understand the risk. - Installing via `pip` will fetch the package from PyPI and run its code on your system. Review the package source (the linked GitHub repo) and pin a version to avoid unexpected upgrades or supply-chain issues. - If you enable autonomous agent invocation, be aware the agent could log in and fetch orders without further prompts — that increases the impact if credentials are compromised. - If you do not trust the package author or cannot verify the repository, do not provide credentials; consider running the tool in an isolated environment (ephemeral VM or container) and limit network/credential exposure. If you want a safer setup: confirm whether OTP is actually required, use short-lived or restricted credentials where possible, review the upstream project code, and prefer interactive login flows or delegated authentication over storing TOTP secrets in env vars.

Review Dimensions

Purpose & Capability: noteName/description match what the SKILL.md actually instructs (install and run the unofficial amazon-orders Python package). Requested binaries (python3, pip3) and environment variables for Amazon credentials are consistent with an automated scraper that logs into an account. However, the registry metadata lists AMAZON_OTP_SECRET_KEY as a required env var while the SKILL.md explicitly says that OTP/TOTP is optional for accounts that have MFA — this mismatch is disproportionate and should be clarified.
Instruction Scope: okSKILL.md stays on-purpose: it tells the agent to pip install the package, to supply credentials via env vars or parameters, and to run the library or CLI to fetch order history. It does not instruct the agent to read unrelated files, harvest additional system secrets, or send data to endpoints outside the documented project. The doc does recommend storing credentials in env vars and using an OTP secret for automation, which is within scope for automated login but has security implications.
Install Mechanism: noteThere is no formal install spec in the registry; the SKILL.md tells users to run `python3 -m pip install --upgrade amazon-orders`. Installing from PyPI is a common pattern but carries normal supply-chain risk (pip package code will be downloaded and executed). The homepage points to a GitHub repo, which is expected; no remote download from unknown hosts is required by the SKILL.md itself.
Credentials: concernThe skill requires AMAZON_USERNAME and AMAZON_PASSWORD (expected) and the registry also lists AMAZON_OTP_SECRET_KEY as required. The SKILL.md describes the OTP secret as optional for accounts with MFA. Declaring the OTP secret mandatory is disproportionate and sensitive: an OTP/TOTP secret in environment variables allows unattended login and effectively bypasses MFA protections. The number and sensitivity of required env vars are otherwise appropriate for a login-based scraper, but the mandatory OTP secret is a red flag unless you explicitly need unattended runs.
Persistence & Privilege: notealways:false (no forced global inclusion) and model-invocation is enabled (default). That means the agent could invoke the skill autonomously if permitted. Combining autonomous invocation with stored Amazon credentials (especially an OTP secret) increases risk because the agent could sign in and act on the account without interactive confirmation. This is not by itself a fatal issue, but be aware of the blast radius before enabling autonomous runs.