ClawHub

Amazon Reviews Api Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed BrowserAct integration for fetching Amazon reviews by ASIN, with no evidence of hidden persistence, destructive behavior, or unrelated data access.

Install this only if you intend to use BrowserAct for Amazon review extraction and are comfortable configuring BROWSERACT_API_KEY. Review requests and ASINs are processed by BrowserAct, and results may include reviewer profile links and country data, so use the collected review data in line with privacy, platform, and compliance expectations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The proactive trigger language is very broad and encourages automatic use for many loosely related requests, which can cause the agent to invoke the skill without sufficiently confirming user intent. In this skill, that means performing third-party data extraction and collecting review/profile data when the user may only want general analysis or discussion, creating unnecessary external requests and privacy/compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly outputs reviewer profile links and country data but does not clearly warn users that personal or profile-related data will be collected and processed. In a market-research and scraping context, this omission is more dangerous because it can lead to unintentional collection, downstream sharing, or analysis of personal data without informed user awareness or appropriate minimization.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script reads a BrowserAct API key and uses it to send authenticated requests and user-supplied ASIN data to a third-party service without any meaningful consent, warning, or disclosure at the point of use. In an agent skill context, this is dangerous because users may assume processing is local while their queries and associated credentials are actually transmitted externally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal