ClawHub

Amazon-analysis-skill

Security checks across malware telemetry and agentic risk

Overview

This Amazon research skill is mostly coherent, but it stores API keys in plaintext and includes a nationality-profiling workflow that users should review carefully before installing.

Install only if you intend to use APIClaw for Amazon seller research. Prefer setting APICLAW_API_KEY as an environment variable instead of giving the key to the agent or saving config.json, and avoid using the Chinese seller workflow because it relies on weak nationality proxies that can produce biased or discriminatory analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to write a user-provided API key into `config.json`, creating unnecessary credential persistence on disk. Persisting secrets beyond the active session increases exposure to accidental disclosure, later reuse by unrelated workflows, or leakage through logs, backups, or file reads.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document claims the API key is used only for the APIClaw domain, but adjacent instructions direct storing that same key in a local config file. That contradiction weakens user trust and expands the credential's exposure surface from network transmission to local persistence, where other tools or processes may access it.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to infer whether sellers are Chinese using proxies such as city names, pinyin-like brand names, suffixes like '-Direct'/'-Store', and product-category stereotypes when explicit location data is absent. This is dangerous because it operationalizes nationality/ethnicity inference from weak signals, creating a high risk of discriminatory profiling, misclassification, and policy-sensitive targeting unrelated to a legitimate technical requirement.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The self-check command reads API credentials from ~/.apiclaw/config.json, which is outside the skill's documented credential sources and outside the skill directory. Accessing unrelated home-directory config broadens the skill's credential reach and can cause it to consume secrets the user did not intend to expose to this skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly tells users they can give the API key to the AI agent and that it will be auto-saved to config.json, but it does not explain where that file is stored, who can read it, or the risks of exposing secrets to an LLM-driven tool. In an agent skill context, this is more dangerous than a normal app README because users may paste credentials into conversational interfaces, logs, telemetry, or shared workspaces, causing unintended secret disclosure.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs the agent to persist user-provided API keys without warning the user that their credential will be stored locally. In context, this is more dangerous because the skill explicitly handles a live third-party API secret; silent storage can surprise users and materially increase the risk of credential compromise or unauthorized reuse.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases for the composite recommendation flow include broad terms like 'help me choose' and 'what should I sell,' which can cause the skill to activate in loosely related conversations without adequate scoping. Unintended invocation can expose users to unnecessary data collection, irrelevant automation, or recommendations produced without the required contextual inputs.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The Chinese seller case-study trigger includes broad phrases such as 'Chinese sellers' without clear constraints on purpose or acceptable use. This increases the chance the scenario is invoked for nationality-based segmentation or profiling requests that are sensitive and difficult to justify within a normal product-research workflow.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
This section directs the agent to analyze and rank sellers based on nationality proxies, calculate a 'Chinese seller ratio,' and derive strategies from that grouping. In the context of a general Amazon product-research skill, this makes the feature more dangerous because it turns a commercial analytics tool into a mechanism for sensitive attribute inference and targeting, which can enable discriminatory decision-making and biased market analysis.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases in this scenario file are broad enough to match ordinary user language such as generic requests about risks, comparison, or sales. In an agent system, that can cause the skill to activate when the user did not intend Amazon seller analysis, leading to unintended tool use, irrelevant external data access, and possible leakage of user query context to the API-backed skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases for competitive listing analysis are broad enough to match ordinary user requests such as asking what competitors are saying, which can cause the skill to activate outside clearly intended contexts. In an agentic system, over-broad routing can expose external data access and persuasive content-generation flows when the user did not explicitly request Amazon seller analysis.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Phrases like 'write listing' or 'help me write product page' are generic and can overlap with many non-Amazon writing tasks, making unintended skill invocation likely. Because this skill is connected to external competitive and review-analysis workflows, misrouting could lead to unnecessary API use, irrelevant data retrieval, or generation of marketplace-optimized copy in the wrong context.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Triggers such as 'optimize my listing' and 'improve my listing' are ambiguous and lack scope boundaries, so the skill may activate for general content editing rather than Amazon listing diagnosis. In this skill's context, that increases the chance of unintended competitor lookups, product analysis, and diagnostic recommendations based on external data sources without clear user intent.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill plainly instructs persistent storage of an API key in a local configuration file, which is a classic secret-handling weakness. Even if intended as convenience, storing credentials in a predictable local file can expose them to other skills, users, debugging output, backups, or source-control mistakes.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal