"Any offending skills we identify"
The problem, apparently, are the offending skills you don't identify.
It's all well and good to have a security API defending personal information, but if anyone can ask for a credit card number without using that API then it's not much use, is it ?
Once again, a problem was recognized but the proper solution was not implemented. Solution which would have been requiring developers to submit their "Skill" (ugh, I hate that notion) as raw code, to be reviewed by Amazon drones, compiled and tested. The code review would catch things like that.
Of course, Amazon would have to hire competent coders who would spend their time reviewing code, which would be more expensive and time-consuming, but mostly more expensive. But nothing should be able to pass through that kind of filter.