Back to skill

Security audit

Amazon Competitor Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it sends user-provided Amazon ASINs to BrowserAct to collect product data and writes local analysis reports.

Install only if you are comfortable sending ASINs and related Amazon research activity to BrowserAct under your account. Use a dedicated BrowserAct API key if possible, protect any .env file, and run it in an output directory where creating or overwriting amazon_analysis.csv, amazon_analysis.md, and amazon_analysis.json is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares access to an API key and describes networked scraping plus writing output files, but it does not declare corresponding permissions. This creates a transparency and consent gap: a user or hosting framework may not realize the skill can exfiltrate ASIN queries and retrieved data to a third-party service and write local artifacts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states it uses BrowserAct for browser automation, but it does not clearly warn users that user-supplied ASINs and related Amazon product queries are transmitted to a third-party service. This undermines informed consent and can expose business-sensitive research activity, query patterns, and collected market intelligence to an external processor.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends user-supplied ASINs to a third-party service (BrowserAct) without explicit runtime disclosure or consent. Even though ASINs are not highly sensitive by themselves, user queries, competitive-research targets, and resulting analysis may reveal business intent or proprietary research activity to an external processor.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill automatically writes CSV, Markdown, and JSON files to disk when an output directory is provided, but it does not clearly warn users that local artifacts containing competitive-analysis data will be created. This can expose sensitive market research on shared systems, CI runners, or multi-user environments where filesystem access is broader than expected.

External Transmission

Medium
Category
Data Exfiltration
Content
}
        
        try:
            response = requests.post(
                f"{API_BASE_URL}/run-task-by-template",
                json=data,
                headers=self.headers,
Confidence
93% confidence
Finding
requests.post( f"{API_BASE_URL}/run-task-by-template", json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.