Amazon Keyword Research
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches Amazon keyword research, but its bundled script unsafely embeds the searched keyword into Python code, so a crafted keyword could run local commands.
Review this skill before installing. Its research purpose is coherent, but the bundled script should be fixed before use because crafted keywords can become local code execution. If you proceed, use only non-sensitive keywords, verify the source, and ensure the expected local tools are available.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidentally crafted keyword could cause the local machine running the skill to execute commands, not just perform keyword research.
The user-controlled keyword is incorporated into Python source code passed to python3 -c. A keyword containing crafted quotes/parentheses could break out of the string and execute arbitrary Python/local commands under the user's account.
KEYWORD="${1:?Usage: research.sh <keyword> [marketplace]}"
ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('${SEARCH_TERM}'))")Do not run this helper on untrusted or unsanitized keywords until patched. The script should pass values as arguments, for example python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))' "$SEARCH_TERM", rather than embedding input in code.
The agent may choose this skill for broad Amazon product or selling questions and send the searched terms to external research services.
The activation guidance is broad and encourages use for vague Amazon-selling questions. It remains aligned with the skill's stated purpose, but it can increase automatic invocation.
Make sure to use this skill whenever the user mentions Amazon product research... even if they don't explicitly say 'keyword research'.
Use the skill only when you want Amazon keyword research, and avoid submitting sensitive product ideas if you do not want those terms queried externally.
The script may fail or behave differently depending on local tooling that was not declared in the skill metadata.
The helper visibly depends on curl and python3, while the registry requirements declare no required binaries. This is an under-declared execution dependency.
RESULT=$(curl -s "https://completion.${DOMAIN}/api/2017/suggestions?..."
ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('${SEARCH_TERM}'))")Declare curl and python3 as required binaries or replace them with a safer, declared runtime path.