APM 상품 관리 API
PendingVirusTotal audit pending.
Overview
No VirusTotal analysis has been recorded yet. File reputation checks will appear here once the artifact hash has been scanned.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
With a valid token, an agent could change or delete product listings, prices, inventory, discounts, or display status in the APM account.
The skill documents token-authenticated write and delete operations that can change business-critical product data, but the artifacts do not document mandatory confirmation, preview, scoped allowlists, or rollback steps before these actions.
관리자용 상품 추가/삭제/수정/가격·재고·할인 관리 17개 ... gds_m_delgoods — 상품 정보 삭제[판매자] ... gds_m_editgoodsprice — 상품 가격 수정[판매자] ... gds_m_editgoodsstock — 상품 재고 수정[판매자]
Require explicit user approval for every write, delete, and bulk action; show target goods IDs and old/new values before calling the API; use read-only access unless mutation is needed.
A mistaken or overbroad product ID list could remove multiple user-created products in one request.
The API supports bulk deletion by an array of product IDs, but the artifact does not describe batch limits, dry-run review, or per-item confirmation.
사용자가 셀프 추가 결제 상품을 삭제합니다 (일괄 처리 지원). ... POST JSON: { goods_ids: [상품ID1, 상품ID2, ...] }Add a dry-run/preview workflow, cap batch sizes, and require confirmation of each product ID before deletion.
Anyone or any agent with this token may be able to perform APM actions allowed by that account, including seller/product mutations if the token has those privileges.
The skill requires an APM access token and sends it as the authcode header for authenticated API calls; this is expected for the integration but sensitive.
requires: env: - APM_USER_TOKEN ... 인증 헤더: authcode: "HH " + access_token
Use the least-privileged token possible, separate seller/admin and normal user tokens, and avoid installing with a high-privilege token unless needed.
Images or screenshots used for search or complaint workflows may be transmitted to the APM service.
The image-search endpoint sends user-provided image data to the disclosed APM API; this is purpose-aligned but users should know photos are uploaded externally.
이미지로 유사 상품 검색 ... POST JSON: { img: "base64 문자열" }Upload only intended images, avoid sensitive personal information in screenshots/photos, and confirm the destination service is trusted.