Security audit

Amazon Product Search Api Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Amazon product search integration that sends user-provided search parameters to BrowserAct and returns results, with no evidence of hidden local access or destructive behavior.

Install only if you are comfortable using BrowserAct for Amazon product searches. Keep BROWSERACT_API_KEY in the environment rather than pasting it into chats, avoid sending confidential product research terms unless approved, and stop the script manually if polling runs longer than expected.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The description instructs the agent to proactively apply the skill across a wide range of shopping, monitoring, cataloging, and market-research requests. That broad trigger scope can cause unintended invocation, resulting in user inputs being sent to an external service or code being run when the user did not explicitly consent to using this integration.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill does not warn users that their search terms, brand filters, and related parameters are transmitted to BrowserAct's external API/service. This lack of disclosure undermines informed consent and can expose sensitive business research terms or proprietary product-monitoring queries to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal