ClawHub

Amazon Review Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a purpose-aligned Amazon review API helper, but users should understand that their product and review queries go to an external provider and outputs may include public reviewer identifiers.

Install only if you trust the external review API provider with the Amazon products, marketplaces, and research queries you submit. Keep the API key in an environment variable, avoid exporting raw reviewer records unless needed, and consider redacting reviewer profile links or names before sharing results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs the agent to output complete review records, including fields such as reviewer nickname, profile URL, and full review text, without any privacy warning, minimization, or handling guidance. Even if the source data is publicly visible on Amazon, aggregating and redisplaying it in bulk increases privacy and profiling risk and may violate user expectations or platform data-handling standards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest requires an API credential and the workflow sends ASIN, marketplace, and query parameters to a third-party service, but the skill does not warn users that their query data will be transmitted externally. This reduces informed consent and can expose business-sensitive research interests, competitor targets, or usage patterns to the external provider.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal