ClawHub

Skill Amazon Review Request

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it can send real Amazon customer review requests and quietly sync order-review metadata to Supabase if local Supabase credentials exist.

Install only if you control the Amazon seller account and want automated review requests. Run dry-run first, remove or restrict `~/supabase-api.json` unless external Supabase logging is intentional, use least-privilege SP-API credentials with Messaging permission, and do not add the cron entry until you are comfortable with recurring customer-facing sends.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script’s stated purpose is to request Amazon reviews, but it also performs independent Supabase reads and writes using a separate credential source. That extra database capability broadens the skill’s data access and exfiltration surface, especially because review-request activity and identifiers are transmitted to an external service not required for the core Amazon API workflow.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The file header claims tracking persists to a local JSON log, but the implementation also sends review-request metadata to Supabase. This mismatch is security-relevant because it conceals external data transmission from reviewers and operators, reducing informed consent and making hidden data flows harder to detect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documentation shows a dry-run example and then a live run example, but it does not prominently warn that running live mode will send real Amazon review requests to actual customers. In an agent or automation context, this omission can lead to unintended external actions, customer contact, and policy or reputational issues because operators may execute the default command without recognizing its real-world effect.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
This documentation exposes the existence and expected locations of internal credential files and service integrations, including environment variable names and a backend table schema. Even without embedding the secrets themselves, publishing operational credential context in a skill can enable unauthorized access attempts, secret discovery, or misuse by an agent that was not intended to access internal systems. The lack of user-facing consent or clear trust boundaries makes this more dangerous because it normalizes hidden access to privileged resources.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal