Amazon Security Report — Trusted | ClawSafe

5 /100

Amazon

Analyze Amazon workflows with JustOneAPI, including product Details, product Top Reviews, and best Sellers across 4 operations.

This is a straightforward Amazon API wrapper skill that makes GET requests to JustOneAPI. No malicious patterns, obfuscation, or credential harvesting were detected.

Skill NameAmazon

Duration36.6s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use. Consider passing the token via environment variable instead of CLI argument for better operational security.

Findings 1 items

Severity	Finding	Location
Low	API token visible in process arguments Sensitive Access The --token argument exposes the API token in process listings (ps, /proc). This is a minor operational security concern, not a data exfiltration risk, since the token is passed directly to the API call and not exfiltrated. `parsed.token = cliToken;` → Consider passing the token via stdin or a file to avoid process listing exposure, though this is a minor concern for this use case.	`bin/run.mjs:7`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file system operations in bin/run.mjs
Network	`READ`	`READ`	✓ Aligned	bin/run.mjs:107 - fetch(url, requestInit) only to api.justoneapi.com
Shell	`NONE`	`NONE`	—	No subprocess, exec, or shell command execution
Environment	`NONE`	`NONE`	—	No environment variable access in code
Skill Invoke	`NONE`	`NONE`	—	No nested skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

2 findings

🔗

Medium External URL 外部 URL

https://api.justoneapi.com

SKILL.md:5

🔗

Medium External URL 外部 URL

https://amazon.com/s?node=172282

bin/run.mjs:109

File Tree

4 files · 36.5 KB · 1139 lines

JavaScript 1f · 533L JSON 1f · 331L Markdown 2f · 275L

├─ ▾ 📁 bin

│ └─ 📜 run.mjs JavaScript 533L · 16.1 KB

├─ ▾ 📁 generated

│ ├─ 📋 operations.json JSON 331L · 10.7 KB

│ └─ 📝 operations.md Markdown 219L · 6.3 KB

└─ 📝 SKILL.md Markdown 56L · 3.4 KB

Security Positives

✓ No shell execution or subprocess calls detected

✓ No obfuscation techniques (base64, eval, atob) found

✓ No credential harvesting or environment variable iteration

✓ No sensitive file/path access (~/.ssh, .env, etc.)

✓ No remote code execution patterns

✓ No hidden functionality - documentation matches implementation

✓ All 4 operations use only GET requests with query parameters

✓ No external dependencies - uses only Node.js built-in fetch API

✓ Clean, straightforward API wrapper with proper error handling

Scan Report

Findings 1 items

File Tree

Security Positives