Back to skill
Skillv0.1.6
ClawScan security
Amazon Competitor Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 25, 2026, 8:35 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and README require a BrowserAct API key and send scraped data to api.browseract.com, but the registry metadata does not declare that credential — an incoherence that should be resolved before installing.
- Guidance
- Before installing, note the concrete mismatch: SKILL.md and the Python script require BROWSERACT_API_KEY, but the registry metadata lists no required credentials. Verify the publisher and ask them to correct the metadata or explain why the registry omits the API key requirement. Understand that the tool will send ASINs and scraped product data to BrowserAct (api.browseract.com) — review BrowserAct's privacy/TOS and do not provide sensitive credentials. If you proceed, test the skill in an isolated environment, confirm network traffic goes only to api.browseract.com, and avoid supplying unrelated secrets or high-privilege credentials.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (Amazon scraping via BrowserAct) matches the code and SKILL.md: requests to api.browseract.com endpoints (run-task-by-template, get-task-status, get-task) implement the stated purpose. However, the registry metadata claims no required environment variables or credentials while both SKILL.md and the Python code require BROWSERACT_API_KEY — a clear mismatch.
- Instruction Scope
- okSKILL.md instructions stay within scope: they explain acquiring a BrowserAct API key, setting it via .env or environment variable, and running the provided Python script which calls BrowserAct. The script reads/writes only local output files and the skill directory's .env, and does not instruct reading unrelated system files or credentials.
- Install Mechanism
- okThis is an instruction-only skill with no install spec. The Python file depends only on requests (and optionally python-dotenv). No remote downloads, install scripts, or archive extraction are present, so install risk is low.
- Credentials
- concernThe skill legitimately requires BROWSERACT_API_KEY (used as a Bearer token for BrowserAct API calls). That credential is declared in SKILL.md and the code but is not listed in the registry metadata or primary credential field — this discrepancy is concerning and reduces transparency. The script also attempts to load a .env file from the skill directory and will set process environment variables from it; while this behavior is expected for API-key-based tools, users should be aware the key is transmitted to BrowserAct servers when tasks are submitted.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system-wide settings, and does not persist credentials beyond using the provided API key at runtime. It operates on-demand and stores outputs locally as files in the output directory.