Skillv1.0.0

ClawScan security

Product Opportunity Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 8, 2026, 12:57 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (extract Amazon 1–3 star review pain points) matches its code and instructions, but it omits and doesn't declare required credentials and external-service dependencies (Bright Data), which is an incoherence that warrants caution.
Guidance: This skill uses Bright Data to fetch Amazon reviews and the included script requires a Bright Data API key, but the published metadata does not declare that credential — that's the main red flag. Before installing or using: (1) confirm with the author which credential(s) are required and why they weren't declared; (2) if you must provide an API key, create a least-privilege/test Bright Data key and monitor usage/costs; (3) understand that product URLs and review text will be sent to Bright Data (third-party) — evaluate privacy and compliance implications; (4) if you can't verify the owner or don't want to share a Bright Data key, avoid enabling the skill. If the author updates metadata to explicitly declare the Bright Data API requirement and its scope, re-evaluate then.

Review Dimensions

Purpose & Capability: concernThe skill claims to fetch Amazon reviews and analyze them, which matches the included script and SKILL.md workflow. However, both the SKILL.md and scripts rely on Bright Data (brightdata_amazon_product_reviews / api.brightdata.com) and an API key, yet the registry metadata declares no required environment variables or primary credential. Not declaring the Bright Data API key is an incoherence.
Instruction Scope: concernRuntime instructions explicitly direct the agent to call a Bright Data tool to fetch reviews, apply Map-Reduce and produce reports. The instructions do not ask for unrelated system files, but they assume a network-capable tool and credentials exist. The automatic trigger on receiving an Amazon link is expected for the described purpose but means the agent could autonomously send product URLs and review text to Bright Data without the skill declaring where the API key comes from.
Install Mechanism: okThis is an instruction-only skill with no install spec. The included Python script is simple and does not perform hidden installs. No inbound archive downloads or non-standard install locations are present.
Credentials: concernThe script requires an API key (passed on the CLI) for Bright Data, and the SKILL.md references using Bright Data's tool, but the skill metadata lists no required env vars or primary credential. Requesting network access to a third-party scraping provider without declaring it is disproportionate and makes it unclear what secrets the skill needs or will transmit.
Persistence & Privilege: okalways is false, there are no config-path or system-wide modifications, and the skill does not request persistent/privileged presence. Autonomous invocation is allowed (platform default) but not combined here with broad undeclared credential access.