ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Amazon Listing Optimizer

v1.0.0

Audit Amazon product listing images for non-square dimensions, auto-pad them to 2000×2000 white background, and push corrected images to live listings via SP...

0· 475·1 current·1 all-time
byZero2Ai@zero2ai-hub·duplicate of @zero2ai-hub/skill-listing-image-optimizer
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the code: scripts audit listings, pad images, and upload via SP‑API. Required binaries (node, python3) are reasonable for the included scripts and image tooling. Asking for SP‑API credentials (in a credentials file) is proportionate to the stated purpose.
!
Instruction Scope
The runtime instructions and scripts instruct the agent to start a public HTTP server and have Amazon crawl URLs — this is expected for the upload method used, but the server implementation does not sanitize request paths (path traversal risk) and will serve arbitrary filesystem files if exposed. The SKILL.md also references a fix_title.js script that is not present in the package, showing sloppy/incomplete documentation. The instructions additionally rely on an optional AMAZON_SPAPI_PATH env var (documented) even though the skill metadata lists no required env vars — a minor inconsistency.
Install Mechanism
There is no install spec (instruction-only install), and the dependencies are standard (Pillow via pip, amazon-sp-api via npm). No downloads from arbitrary URLs or archive extraction are present in the package. All code is included in the repo.
Credentials
The skill requires SP‑API credentials (lwa client id/secret, refresh token, sellerId, marketplace) stored in a local JSON file — this is expected for making listings changes. The package does not request unrelated credentials. One minor mismatch: SKILL.md mentions AMAZON_SPAPI_PATH env var (optional) but the registry metadata lists no required env vars; the credential file approach may be fine but users should ensure credentials provided have minimal necessary scopes (listingsItems write).
Persistence & Privilege
The skill is not set to always:true and does not request persistent system-wide privileges. It runs transient local servers and SP‑API calls as invoked, which matches the described purpose. Autonomous invocation is allowed (platform default) but not an additional red flag by itself.
What to consider before installing
This package appears to do what it claims, but stop and address the following before running on a production machine or with real seller credentials: - The image pusher starts a public HTTP server and directly maps request paths to files without sanitizing ../ sequences. If you run this server on a publicly reachable IP, an attacker (or crawler) could download arbitrary files readable by the process. Run the server only in a hardened environment, serve from an isolated directory, or replace the simple server with a secure static-file server that prevents path traversal. - Verify the SP‑API credential file (AMAZON_SPAPI_PATH) exists and that the credentials have only the minimal scopes needed (listings write). Keep those credentials private and rotate them if needed. - The README/SKILL.md mention a fix_title.js script that is not included — treat the docs as slightly unreliable and inspect the included scripts carefully before use. - The code makes an external call to api.ipify.org to detect the public IP; if you prefer not to call third‑party services, supply the public IP/hostname manually or use a secure proxy/S3 approach. - If you plan to run this on a server, host the images on a controlled CDN/S3 with restricted access where possible and confirm Amazon's required URL handling rather than exposing your entire host. If these issues are fixed (sanitize server paths or use a safe file server; remove missing/inaccurate docs), the skill would be coherent and appropriate for its purpose.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnode, python3
latestvk972ap03mdsjv2q0qsx1pm9sc9821h69
475downloads
0stars
2versions
Updated 7h ago
v1.0.0
MIT-0
Zero2Ai@zero2ai-hub
latest
Download

Amazon Listing Image Optimizer

Automatically fix non-square product images on Amazon listings — download, pad to 2000×2000 white background, and push back to live listings via SP-API. No manual Seller Central work required.

Why This Exists

Amazon penalizes listings with non-square images (aspect ratio != 1:1). Common offenders:

  • Landscape 16:9 or 4:3 product shots
  • Portrait hero images
  • Tiny low-resolution images

This skill detects, fixes, and re-uploads — all automatically.

Setup

1. Install dependencies

pip3 install Pillow
npm install amazon-sp-api

2. Create SP-API credentials file

{
  "lwaClientId": "amzn1.application-oa2-client.YOUR_CLIENT_ID",
  "lwaClientSecret": "YOUR_CLIENT_SECRET",
  "refreshToken": "Atzr|YOUR_REFRESH_TOKEN",
  "region": "eu",
  "marketplace": "YOUR_MARKETPLACE_ID",
  "sellerId": "YOUR_SELLER_ID"
}

Set AMAZON_SPAPI_PATH env var to point to it (default: ./amazon-sp-api.json).

Scripts

audit.js — Detect non-square images

node scripts/audit.js --sku "MY-SKU"          # audit single SKU
node scripts/audit.js --all                    # audit all FBA SKUs
node scripts/audit.js --all --out report.json  # save report

Outputs: list of non-conforming image slots with dimensions.

pad_to_square.py — Fix images locally

# After audit.js downloads originals to ./image_fix/
python3 scripts/pad_to_square.py ./image_fix/

Pads all *_orig.jpg files to 2000×2000 white background, outputs *_fixed.jpg.

push_images.js — Upload fixed images to Amazon

node scripts/push_images.js --dir ./image_fix/ --sku "MY-SKU" --slots PT03,PT05

Spins up a local HTTP server on a public port, submits image URLs to SP-API, then auto-kills the server after 15 minutes (time for Amazon to crawl).

fix_title.js — Patch listing title

node scripts/fix_title.js --sku "MY-SKU" --title "New optimized title here"

Full Pipeline (one command)

node scripts/audit.js --all --out report.json
python3 scripts/pad_to_square.py ./image_fix/
node scripts/push_images.js --dir ./image_fix/ --from-report report.json

Image Slot Reference

SlotAttributeDescription
MAINmain_product_image_locatorHero image (must be white bg)
PT01–PT08other_product_image_locator_1_8Secondary images

Notes

  • Amazon processes image updates within 15–30 mins of ACCEPTED response
  • VPS must have a publicly accessible IP/port for the temp HTTP server (or use S3/Cloudflare)
  • PIL uses LANCZOS resampling for best quality when resizing
  • Keep images under 10MB; target 2000×2000px @ 95% JPEG quality

Related

Comments

Loading comments...