amazon-review-insights

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AstrMap API wrapper for Amazon review analysis, with sensitive credentials and an external desktop client dependency that users should handle carefully.

Install only if you trust AstrMap with the API key, submitted product identifiers, task metadata, and retrieved review content. Use CUSTOMER_INSIGHTS_API_KEY rather than hardcoding keys, verify the desktop client download and signature/checksum, use a dedicated Amazon buyer account for collection, and require explicit confirmation before actions that spend points or start collection/analysis.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The usage examples include broad phrasing that could match ordinary user requests, making accidental invocation more likely. In this skill, unintended activation is riskier because it can lead to API-key collection prompts, point-consuming operations, and interactions with external services or desktop client workflows.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The API reference shows use of live bearer API keys (`sk_live_...`) but provides no guidance to avoid logging, hardcoding, screenshotting, or otherwise exposing those credentials. In agent and integration contexts, developers frequently copy examples directly into code or telemetry, which can lead to credential leakage and unauthorized API use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal