Security Audit
sundial-org/awesome-openclaw-skills:skills/affiliatematic
github.com/sundial-org/awesome-openclaw-skillsTrust Assessment
sundial-org/awesome-openclaw-skills:skills/affiliatematic received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned Third-Party JavaScript Dependency, Third-Party Script Accesses Webpage Content and Affiliate Tag.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned Third-Party JavaScript Dependency The skill instructs users to include a JavaScript file (`amazon-widget.iife.js`) directly from a third-party domain (`affiliatematic.com`) without any version pinning or Subresource Integrity (SRI) hash. This creates a significant supply chain risk. If the `affiliatematic.com` server or the script itself is compromised, malicious code could be served to all websites integrating this widget, potentially leading to data exfiltration, defacement, or other client-side attacks on the user's website. Recommend adding Subresource Integrity (SRI) hashes to the script tag to ensure the script has not been tampered with. Also, consider hosting a copy of the script locally or using a versioned URL if available, though SRI is the primary defense against tampering. Example: `<script src="https://affiliatematic.com/amazon-widget.iife.js" async integrity="sha384-..." crossorigin="anonymous"></script>` | Static | SKILL.md:40 | |
| MEDIUM | Third-Party Script Accesses Webpage Content and Affiliate Tag The integration requires embedding a third-party JavaScript widget that explicitly states it "analyzes page content (title, meta, text)" and uses the user's Amazon affiliate tag (`data-tag`). While this is the intended functionality of the service, it means that `affiliatematic.com` will have access to the full content of any page where the widget is embedded, as well as the user's unique Amazon affiliate identifier. Users should be aware of the privacy implications and ensure they trust the third-party service with this data. A malicious or compromised `affiliatematic.com` could potentially exfiltrate sensitive information from the user's website. Advise users to carefully review the privacy policy and security practices of `affiliatematic.com` before integrating the widget, especially on pages that may contain sensitive or private information. Consider if the scope of data access is strictly necessary for the widget's functionality. | Static | SKILL.md:15 |
Scan History
Embed Code
[](https://skillshield.io/report/2f4c5cc4c213bfed)
Powered by SkillShield