Amazon Asin Lookup Api Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate Amazon ASIN lookup integration, but it gives unsafe guidance for handling an API key.

Install only if you are comfortable sending lookup requests to BrowserAct. Configure the BrowserAct key through environment or secret storage, and do not paste the API key into chat, prompts, logs, or shared transcripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill invokes a Python script that uses an environment secret (`BROWSERACT_API_KEY`) and makes external network/API requests, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or reviewer may treat the skill as lower risk than it really is, while the skill can still access secrets and transmit user-provided ASINs and retrieved data to a third-party service.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script explicitly tells users they can provide the BrowserAct API key 'in the chat', which encourages disclosure of a sensitive credential through an unsafe channel. In an agent/skill context, this is especially dangerous because chat content may be logged, retained, or exposed to other components, creating a real risk of credential theft and subsequent abuse of the BrowserAct account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal