ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Amazon Ads Optimizer

v1.0.0

Amazon Ads API v3 skill for OpenClaw agents. List profiles, manage Sponsored Products campaigns, view budgets and performance. Works with any advertiser acco...

0· 581·2 current·2 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description say Amazon Ads API v3 and the included script implements LWA token exchange, profile listing, and Sponsored Products campaign calls to advertising-api.amazon.com (and regional endpoints). Required binaries (node) and the credential fields described in SKILL.md (lwaClientId, lwaClientSecret, refreshToken, profileId, region) align with the Ads API purpose.
Instruction Scope
SKILL.md instructs the user to create a local credentials JSON (amazon-ads-api.json) and optionally set AMAZON_ADS_PATH; runtime instructions only call Amazon endpoints and run the included Node script. Note: the skill asks you to store sensitive secrets on disk (client secret and refresh token) — exercise care protecting that file (permissions, do not check into VCS).
Install Mechanism
This is instruction-only with an included Node script; there is no install spec, no external downloads, and no archives extracted. That keeps the install surface minimal.
Credentials
The only sensitive data required are Ads-specific credentials (LWA client id/secret and refresh token) and profileId, which are necessary to obtain tokens and call the Ads API. No unrelated credentials, secrets, or system-level config paths are requested. The optional AMAZON_ADS_PATH env var is reasonable and scoped to locating the credentials file.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system settings. It reads a local credentials file and can write output only when the user supplies an --out filename; no elevated persistence is requested.
Assessment
This skill appears to do exactly what it says: exchange your LWA refresh token for an access token and call Amazon Ads endpoints. Before installing, verify the source (the registry entry has no homepage and owner ID looks opaque). Protect the credentials file (amazon-ads-api.json) — use strict filesystem permissions, avoid committing it to git, or consider using a secret manager or environment-provided secrets instead of a disk file. If you need higher assurance, inspect the included scripts yourself (ads.js is short and readable) and run the tool in an isolated environment (local container or dedicated machine).

Like a lobster shell, security has layers — review code before you run it.

latestvk97ddc121d9r7rf2q6nc0f8dth821sfd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments