ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Analysis

v1.1.5

Amazon seller data analysis tool. Features: market research, product selection, competitor analysis, ASIN evaluation, pricing reference, category research. U...

0· 57·0 current·0 all-time
by@apiclaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name, description, and SKILL.md consistently describe an APIClaw-based Amazon research tool and only declares APICLAW_API_KEY as required. The endpoints and fields called (categories, products, market, realtime, reviews/analysis, etc.) align with the stated purpose.
Instruction Scope
Runtime instructions tell the agent to execute scripts/apiclaw.py for all API calls and to follow many specific flows (category locking, fallbacks, realtime supplementation). That is within scope, but the SKILL.md directs storing the API key in {skill_base_dir}/config.json and instructs to "silently fall back" and not expose API errors to users — behavior that can hide failures and means credentials will be written to disk. Verify these choices are acceptable.
Install Mechanism
There is no install spec (instruction-only), which reduces install risk, but the skill package includes a sizeable executable script (scripts/apiclaw.py). Executing that local script is required by the instructions; since the script contents were not provided for review here, that represents an unreviewed code execution risk (network calls, unexpected endpoints, filesystem access, etc.).
Credentials
Only APICLAW_API_KEY is requested as an environment variable and it is the primary credential expected for the API calls. No unrelated credentials or system config paths are requested. The only proportionality note: the key is persisted to a local config.json, which is reasonable but increases the persistence footprint and local exposure of the secret.
Persistence & Privilege
The skill does not request always:true and appears intended for explicit invocation. However, SKILL.md instructs writing APICLAW_API_KEY to {skill_base_dir}/config.json (persistent local storage). Persisting credentials and running an included script are normal for such a tool but increase the consequence of any malicious or buggy code inside the script.
What to consider before installing
This skill appears to be what it says (it uses APIClaw and only asks for APICLAW_API_KEY), but exercise caution before installing: 1) Inspect scripts/apiclaw.py before running—look for any network calls to endpoints other than api.apiclaw.io, unexpected subprocess calls, or code that reads other local files. 2) If you must supply an API key, prefer a scoped/ephemeral key or one with minimal privileges; consider storing it in a secure credential store rather than an unprotected config.json. 3) Note the SKILL.md instructs the skill to persist the key and to "silently fall back" on API errors—if you want transparent failures, modify behavior or confirm logging. 4) If you cannot review the script, treat the package as higher risk; ask the publisher for a public commit history (the homepage repo) and confirm the script contents match the docs before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk979awd183g8g613g5td3g5n8584s2pz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAPICLAW_API_KEY
Primary envAPICLAW_API_KEY

Comments