ClawHub

Amz Product Optimizer

Security checks across malware telemetry and agentic risk

Overview

This Amazon listing optimization skill is coherent and disclosed, but users should back up product files and understand that external services may be used.

Install this only if you want help optimizing Amazon product listings. Use a backup or version-controlled product file, review generated titles and image URLs before publishing, avoid including supplier costs or private business metrics unless needed, and enable recurring CTR monitoring only when you understand how it runs and stops.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger description is broad enough to activate on many normal Amazon or e-commerce requests, potentially invoking a workflow that performs scraping, file reads/writes, image generation, or monitoring when the user did not explicitly ask for automation. In a skill that can modify local files and contact external services, over-broad routing increases the chance of unintended side effects and data exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it saves results back to the provided product file but does not clearly warn that local data will be modified in place. This can lead to accidental overwrites, corruption of product data, or user surprise, especially in a bulk optimization workflow touching many records.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow includes scraping keywords, generating images through an external service, and CTR monitoring, but it does not warn users that network requests may occur or that product data may be transmitted to third parties. In this context, product metadata, prompts, or business performance information could leave the local environment without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal