Back to skill
Skillv0.1.4
ClawScan security
Amazon Asin Lookup Api Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 10:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required environment variable are consistent with its stated purpose of calling BrowserAct's Amazon ASIN lookup API; nothing in the package requests unrelated credentials or performs unexpected local actions.
- Guidance
- This skill contacts BrowserAct (api.browseract.com) and will send ASINs and the API key you provide to that external service. Only install it if you trust BrowserAct and are comfortable with that data flow. Before using: (1) confirm billing/usage implications on your BrowserAct account, (2) avoid sending any sensitive or private identifiers as ASIN input, (3) store and supply the BROWSERACT_API_KEY securely (rotate if exposed), and (4) review BrowserAct's privacy policy if you need to know what additional metadata the service may record. The package itself appears coherent and limited in scope.
Review Dimensions
- Purpose & Capability
- okThe skill claims to lookup Amazon product data by ASIN and requires only a BrowserAct API key and python to run. The included script actually calls api.browseract.com with a template ID to start and poll a task — this matches the described purpose.
- Instruction Scope
- okSKILL.md instructs the agent to run the provided Python script and to only use the BROWSERACT_API_KEY. The script only reads the ASIN argument and the BROWSERACT_API_KEY environment variable, calls BrowserAct endpoints, polls for status, and prints results. It does not read other files, system credentials, or send data to unexpected endpoints.
- Install Mechanism
- okNo install spec is present (instruction-only), and the script requires only python and the requests library at runtime. Nothing is downloaded or extracted from arbitrary URLs by the skill itself.
- Credentials
- okThe only required environment variable is BROWSERACT_API_KEY, which is appropriate for a skill that calls the BrowserAct API. No unrelated tokens, passwords, or config paths are requested.
- Persistence & Privilege
- okThe skill is not marked always:true and does not request modification of other skills or system-wide settings. Autonomous invocation is allowed (platform default), which is expected for a user-invocable skill.