ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ads Optimizer Skill

v1.0.1

Amazon Ads API v3 skill for OpenClaw agents. List profiles, manage Sponsored Products campaigns, view budgets and performance. Works with any advertiser acco...

0· 626·0 current·0 all-time
byZero2Ai@zero2ai-hub·duplicate of @zero2ai-hub/skill-amazon-ads
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Amazon Ads API v3) align with required binaries (node), the included script, and the network calls to Amazon endpoints. Minor discrepancy: registry metadata lists no required env vars while SKILL.md documents an optional AMAZON_ADS_PATH — this is functional (there's a default path) but the metadata could be more explicit.
Instruction Scope
SKILL.md confines runtime behavior to creating a credentials JSON file, optionally setting AMAZON_ADS_PATH, and running the provided node script. The script only reads that credentials file, fetches tokens from api.amazon.com, and calls Amazon advertising endpoints; it does not reference other system files or unexpected external endpoints.
Install Mechanism
No install spec (instruction-only) and the code file is small and readable. Nothing is downloaded from arbitrary URLs or extracted to disk by an installer.
Credentials
The skill requires Amazon LWA client ID/secret, refresh token, profileId and region — which are appropriate for the Ads API and are stored in a local JSON file rather than as declared environment variables. The metadata did not declare a primary credential or required env vars, which is a minor metadata mismatch but not a functional red flag.
Persistence & Privilege
Skill is not always-on, does not request elevated system privileges, and does not modify other skills or global agent settings. It runs only when invoked.
Assessment
This skill appears to do what it claims: it needs a local amazon-ads-api.json with your LWA client ID/secret, refresh token, profileId, and region, and it uses Node to call Amazon's official endpoints. Before installing: (1) verify the skill's origin — the package has no homepage and an unknown source owner, so prefer code you trust; (2) store amazon-ads-api.json securely (restrict file permissions) and avoid putting production credentials in shared locations; (3) consider using short-lived or scoped credentials and rotate them if you suspect exposure; (4) confirm your Node runtime provides fetch or run with a Node version that supports it; (5) review the small scripts/ads.js yourself (it's readable) — if you accept these conditions, the skill's requirements are proportionate to its purpose.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnode
latestvk974ppannsdj9mvg7s8egd0yds821xvs
626downloads
0stars
1versions
Updated 9h ago
v1.0.1
MIT-0
Zero2Ai@zero2ai-hub
latest
Download

Amazon Ads API Skill

Manage Amazon Sponsored Products campaigns from your OpenClaw agent — list profiles, view campaigns, check budgets, and pull performance data.

Setup

1. Create credentials file

{
  "lwaClientId": "amzn1.application-oa2-client.YOUR_CLIENT_ID",
  "lwaClientSecret": "YOUR_CLIENT_SECRET",
  "refreshToken": "Atzr|YOUR_REFRESH_TOKEN",
  "profileId": "YOUR_ADS_PROFILE_ID",
  "region": "eu"
}

Save as amazon-ads-api.json. Set AMAZON_ADS_PATH env var to point to it (default: ./amazon-ads-api.json).

Regions & endpoints:

  • naadvertising-api.amazon.com
  • euadvertising-api-eu.amazon.com
  • feadvertising-api-fe.amazon.com

2. Get your Profile ID

node scripts/ads.js --profiles

Copy the profileId for your brand/marketplace and add it to the credentials file.

Scripts

ads.js — Campaigns & Summary

node scripts/ads.js --profiles                # list all advertiser profiles
node scripts/ads.js --campaigns               # list all SP campaigns
node scripts/ads.js --summary                 # active campaigns + budgets summary
node scripts/ads.js --campaigns --out c.json  # save to file

Credentials Schema

FieldDescription
lwaClientIdAds app client ID (separate from SP-API)
lwaClientSecretAds app client secret
refreshTokenLWA refresh token
profileIdAdvertising profile ID (from --profiles)
regionna, eu, or fe

Notes

  • Ads API uses a separate LWA app from SP-API — different client ID/secret
  • Profile ID is required for all campaign operations
  • Tokens are fetched fresh per request (no caching overhead for CLI use)
  • For production/high-frequency use, add token caching

Related

Comments

Loading comments...