Real-time Amazon Data

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Canopy API helper for Amazon product lookups, with expected third-party API use and no hidden execution behavior found.

Install only if you intend to use Canopy for Amazon data. Use a dedicated or limited Canopy API key where possible, avoid submitting secrets or sensitive internal research terms as search parameters, and monitor API usage or billing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly sends product identifiers, search terms, seller IDs, author lookups, and related query data to a third-party service (Canopy API), but it does not warn users that their inputs will leave the local environment and be shared externally. This creates a privacy and data-governance risk, especially if a user provides sensitive product URLs, proprietary research terms, or account-related identifiers under the assumption the skill operates locally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal