ClawHub

Amazon Competitor Analyzer

v0.1.6

Scrapes Amazon product data from ASINs using browseract.com automation API and performs surgical competitive analysis. Compares specifications, pricing, revi...

7· 4.2k·19 current·19 all-time
byHenk Nie@phheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name/description (Amazon scraping via BrowserAct) matches the code and SKILL.md: requests to api.browseract.com endpoints (run-task-by-template, get-task-status, get-task) implement the stated purpose. However, the registry metadata claims no required environment variables or credentials while both SKILL.md and the Python code require BROWSERACT_API_KEY — a clear mismatch.
Instruction Scope
SKILL.md instructions stay within scope: they explain acquiring a BrowserAct API key, setting it via .env or environment variable, and running the provided Python script which calls BrowserAct. The script reads/writes only local output files and the skill directory's .env, and does not instruct reading unrelated system files or credentials.
Install Mechanism
This is an instruction-only skill with no install spec. The Python file depends only on requests (and optionally python-dotenv). No remote downloads, install scripts, or archive extraction are present, so install risk is low.
!
Credentials
The skill legitimately requires BROWSERACT_API_KEY (used as a Bearer token for BrowserAct API calls). That credential is declared in SKILL.md and the code but is not listed in the registry metadata or primary credential field — this discrepancy is concerning and reduces transparency. The script also attempts to load a .env file from the skill directory and will set process environment variables from it; while this behavior is expected for API-key-based tools, users should be aware the key is transmitted to BrowserAct servers when tasks are submitted.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and does not persist credentials beyond using the provided API key at runtime. It operates on-demand and stores outputs locally as files in the output directory.
What to consider before installing
Before installing, note the concrete mismatch: SKILL.md and the Python script require BROWSERACT_API_KEY, but the registry metadata lists no required credentials. Verify the publisher and ask them to correct the metadata or explain why the registry omits the API key requirement. Understand that the tool will send ASINs and scraped product data to BrowserAct (api.browseract.com) — review BrowserAct's privacy/TOS and do not provide sensitive credentials. If you proceed, test the skill in an isolated environment, confirm network traffic goes only to api.browseract.com, and avoid supplying unrelated secrets or high-privilege credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9718ks5hzgh5xsz1vhyaerkkn81tnk5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments