ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Ads API

v1.0.0

Amazon Ads API v3 skill for OpenClaw agents. List profiles, manage Sponsored Products campaigns, view budgets and performance. Works with any advertiser acco...

0· 552·1 current·1 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, and scripts/ads.js are consistent: the skill implements Amazon Ads API v3 operations and requires node. The credentials and endpoints requested are appropriate for Amazon Ads.
Instruction Scope
Instructions confine actions to reading a local credentials JSON, requesting tokens from https://api.amazon.com, and calling Amazon advertising endpoints; the script may write an output file when --out is used. Note: SKILL.md asks the user to store LWA client secret and refresh token in a plaintext file (amazon-ads-api.json), which is a sensitive practice and should be protected.
Install Mechanism
No install spec is provided (instruction-only), and the only required binary is node. Included script is self-contained and performs network calls; nothing is downloaded from external/personal URLs during install.
Credentials
The skill requests LWA client id/secret, refresh token, profileId and region—these are expected for Amazon Ads use. However, they are stored/read from a local JSON file (unprotected by default). The SKILL.md references an optional AMAZON_ADS_PATH env var but the registry metadata lists no required env vars; this mismatch is minor but worth noting.
Persistence & Privilege
The skill is not always-enabled, does not request persistent platform privileges, and does not modify other skills or agent configs. It runs on-demand (or via normal autonomous invocation) and only reads/writes the credential file and optional output file.
Assessment
This skill appears to do what it says: it uses your LWA client id/secret and refresh token to call Amazon Ads endpoints. Before installing or running it, verify the source (there's no homepage and owner is unverified), review the included script yourself, and avoid pasting long-lived secrets into shared repos. If you must use it, store amazon-ads-api.json with strict filesystem permissions (e.g., chmod 600), set AMAZON_ADS_PATH to a secure path, run the script in a sandbox or isolated environment first, and rotate credentials if you stop trusting the skill. Also consider creating an LWA app with limited permissions and short-lived credentials where possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk97372ctzwsjdrhq16c5r4ty3s821aza

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments