ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ads Optimizer Skill

v1.0.1

Amazon Ads API v3 skill for OpenClaw agents. List profiles, manage Sponsored Products campaigns, view budgets and performance. Works with any advertiser acco...

0· 478·0 current·0 all-time
byZero2Ai@zero2ai-hub·duplicate of @zero2ai-hub/skill-amazon-ads
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Amazon Ads API v3) align with required binaries (node), the included script, and the network calls to Amazon endpoints. Minor discrepancy: registry metadata lists no required env vars while SKILL.md documents an optional AMAZON_ADS_PATH — this is functional (there's a default path) but the metadata could be more explicit.
Instruction Scope
SKILL.md confines runtime behavior to creating a credentials JSON file, optionally setting AMAZON_ADS_PATH, and running the provided node script. The script only reads that credentials file, fetches tokens from api.amazon.com, and calls Amazon advertising endpoints; it does not reference other system files or unexpected external endpoints.
Install Mechanism
No install spec (instruction-only) and the code file is small and readable. Nothing is downloaded from arbitrary URLs or extracted to disk by an installer.
Credentials
The skill requires Amazon LWA client ID/secret, refresh token, profileId and region — which are appropriate for the Ads API and are stored in a local JSON file rather than as declared environment variables. The metadata did not declare a primary credential or required env vars, which is a minor metadata mismatch but not a functional red flag.
Persistence & Privilege
Skill is not always-on, does not request elevated system privileges, and does not modify other skills or global agent settings. It runs only when invoked.
Assessment
This skill appears to do what it claims: it needs a local amazon-ads-api.json with your LWA client ID/secret, refresh token, profileId, and region, and it uses Node to call Amazon's official endpoints. Before installing: (1) verify the skill's origin — the package has no homepage and an unknown source owner, so prefer code you trust; (2) store amazon-ads-api.json securely (restrict file permissions) and avoid putting production credentials in shared locations; (3) consider using short-lived or scoped credentials and rotate them if you suspect exposure; (4) confirm your Node runtime provides fetch or run with a Node version that supports it; (5) review the small scripts/ads.js yourself (it's readable) — if you accept these conditions, the skill's requirements are proportionate to its purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk974ppannsdj9mvg7s8egd0yds821xvs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments