ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Listing Image Optimizer

v1.0.0

Audit Amazon product listing images for non-square dimensions, auto-pad them to 2000×2000 white background, and push corrected images to live listings via SP...

0· 388·1 current·1 all-time
byZero2Ai@zero2ai-hub
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code files (audit.js, pad_to_square.py, push_images.js) match the stated purpose (audit images, pad to 2000×2000, and upload via SP‑API). However the skill metadata claims 'Required env vars: none' and 'Primary credential: none' while the SKILL.md and code require an Amazon SP‑API credentials JSON (lwaClientId, lwaClientSecret, refreshToken, sellerId, marketplace). Also SKILL.md documents a fix_title.js script but that file is not present in the package — an incoherence that could indicate incomplete packaging or missing functionality.
!
Instruction Scope
The runtime instructions are explicit about installing Pillow and amazon-sp-api and creating an SP‑API credentials file. The push_images script starts an HTTP server bound to 0.0.0.0 and advertises serving images from the local host (or using S3/Cloudflare). Serving files publicly is necessary for the described Amazon-crawl technique but increases exposure: any file in the served directory could be accessible if mis-specified. The instructions do not emphasize limiting the served directory, firewalling the port, or using pre-signed S3 URLs (safer). The SKILL.md also references a missing fix_title.js, which is inconsistent with the file manifest.
Install Mechanism
There is no custom install script; dependencies are standard (pip Pillow, npm amazon-sp-api). No downloads from arbitrary URLs or archive extraction occur. The lack of an install spec keeps risk lower; code is shipped with the skill and runs locally.
!
Credentials
The only sensitive data required by the code is Amazon SP‑API credentials (LWA client id/secret, refresh token, sellerId, marketplace), which are appropriate for a tool that patches listings. However the skill metadata failed to declare this requirement (no required env vars / primary credential), which is misleading and prevents informed consent. The code also optionally reads PRODUCT_TYPE from env and expects AMAZON_SPAPI_PATH (documented in SKILL.md but not declared in metadata).
Persistence & Privilege
The skill does not request always:true and doesn't attempt to modify other skills or system-wide settings. It runs as-invoked and cleans up its temporary HTTP server after 15 minutes. Autonomous invocation is allowed by default but is not combined here with other high-risk privileges.
What to consider before installing
This package appears to implement the advertised workflow, but there are three things to check before installing or giving it credentials: 1) Credentials: The tool requires Amazon SP‑API credentials (LWA client id/secret and a refresh token) via a JSON file pointed to by AMAZON_SPAPI_PATH, but the package metadata does not declare these requirements — treat that as a red flag and only provide such credentials to code you fully trust. Those credentials can modify listings, so limit their scope and revoke them if you stop using the tool. 2) Public HTTP server: push_images.js binds an HTTP server to 0.0.0.0 and exposes files from the specified directory for ~15 minutes so Amazon can crawl them. Run this in a locked-down environment (dedicated VM/VPS), ensure the served directory contains only the intended image files, restrict network access (firewall, allowlist), or prefer uploading images to S3 and providing pre-signed URLs instead. 3) Packaging inconsistencies: SKILL.md references fix_title.js but that file is missing from the bundle; metadata doesn't list required env vars. Review the included scripts manually (they are short) to ensure there is no hidden exfiltration or unrelated file access. If the maintainer can update metadata to declare required credentials and fix the missing file, and you validate the code, the skill would be more trustworthy. If you are not comfortable providing SP‑API credentials or exposing a public port, do not install or run this skill. If you proceed, do so in an isolated environment and rotate/revoke credentials afterward.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnode, python3
latestvk973fe0ed1j040xzvynk6s280x820nd1
388downloads
0stars
1versions
Updated 8h ago
v1.0.0
MIT-0
Zero2Ai@zero2ai-hub
latest
Download

Amazon Listing Image Optimizer

Automatically fix non-square product images on Amazon listings — download, pad to 2000×2000 white background, and push back to live listings via SP-API. No manual Seller Central work required.

Why This Exists

Amazon penalizes listings with non-square images (aspect ratio != 1:1). Common offenders:

  • Landscape 16:9 or 4:3 product shots
  • Portrait hero images
  • Tiny low-resolution images

This skill detects, fixes, and re-uploads — all automatically.

Setup

1. Install dependencies

pip3 install Pillow
npm install amazon-sp-api

2. Create SP-API credentials file

{
  "lwaClientId": "amzn1.application-oa2-client.YOUR_CLIENT_ID",
  "lwaClientSecret": "YOUR_CLIENT_SECRET",
  "refreshToken": "Atzr|YOUR_REFRESH_TOKEN",
  "region": "eu",
  "marketplace": "YOUR_MARKETPLACE_ID",
  "sellerId": "YOUR_SELLER_ID"
}

Set AMAZON_SPAPI_PATH env var to point to it (default: ./amazon-sp-api.json).

Scripts

audit.js — Detect non-square images

node scripts/audit.js --sku "MY-SKU"          # audit single SKU
node scripts/audit.js --all                    # audit all FBA SKUs
node scripts/audit.js --all --out report.json  # save report

Outputs: list of non-conforming image slots with dimensions.

pad_to_square.py — Fix images locally

# After audit.js downloads originals to ./image_fix/
python3 scripts/pad_to_square.py ./image_fix/

Pads all *_orig.jpg files to 2000×2000 white background, outputs *_fixed.jpg.

push_images.js — Upload fixed images to Amazon

node scripts/push_images.js --dir ./image_fix/ --sku "MY-SKU" --slots PT03,PT05

Spins up a local HTTP server on a public port, submits image URLs to SP-API, then auto-kills the server after 15 minutes (time for Amazon to crawl).

fix_title.js — Patch listing title

node scripts/fix_title.js --sku "MY-SKU" --title "New optimized title here"

Full Pipeline (one command)

node scripts/audit.js --all --out report.json
python3 scripts/pad_to_square.py ./image_fix/
node scripts/push_images.js --dir ./image_fix/ --from-report report.json

Image Slot Reference

SlotAttributeDescription
MAINmain_product_image_locatorHero image (must be white bg)
PT01–PT08other_product_image_locator_1_8Secondary images

Notes

  • Amazon processes image updates within 15–30 mins of ACCEPTED response
  • VPS must have a publicly accessible IP/port for the temp HTTP server (or use S3/Cloudflare)
  • PIL uses LANCZOS resampling for best quality when resizing
  • Keep images under 10MB; target 2000×2000px @ 95% JPEG quality

Related

Comments

Loading comments...