Back to skill
Skillv1.0.0
VirusTotal security
Amazon Ads API · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:41 AM
- Hash
- 1cd1ec7ec697e424904bb9b122458eca87872e39c7b9fcd272521aba86dc0e0c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-amazon-ads Version: 1.0.0 The skill provides legitimate functionality for interacting with the Amazon Ads API, handling credentials appropriately and communicating with official Amazon endpoints. However, the `scripts/ads.js` file contains a critical arbitrary file write vulnerability. The `--out` command-line argument is used directly in `fs.writeFileSync(args.out, ...)` without any path sanitization, allowing an attacker to write JSON content to any arbitrary file path on the system. There is no evidence of intentional malicious behavior or prompt injection attempts in the `SKILL.md`.
- External report
- View on VirusTotal