ClawHub

Amazon Push Score

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a purpose-aligned Amazon listing/ranking analysis helper, with the main concern being imprecise activation keywords rather than unsafe behavior.

Installers should understand that the skill may be invoked by broad Amazon-ranking language; confirm that you actually want push-score or traffic-tier analysis before relying on its recommendations. No artifact-backed evidence supports treating it as malicious or requiring Review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase at line 35 is broad enough to match ordinary discussions about Amazon ranking or algorithm behavior, which can cause the skill to activate when the user did not intend to invoke it. In a routing system, this can misdirect user requests, produce irrelevant business advice, and crowd out more appropriate skills.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger on line 29 is ambiguous and lacks enough contextual specificity to distinguish between casual mention of an Amazon concept and a real request for this skill's specialized scoring workflow. This increases unintended invocation risk and may route users into an optimization framework they did not request.

Vague Triggers

Low
Confidence
86% confidence
Finding
The manifest exposes a keyword list without guardrails such as activation criteria, exclusions, or negative examples, so the orchestrator has little basis to separate valid invocations from incidental keyword matches. This weakens routing precision and can lead to over-activation across normal ecommerce discussions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal