eBay Agent
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a legitimate eBay research tool, with expected use of eBay developer credentials and optional local saved-search state.
This skill is reasonable to install if you want eBay search, valuation, and deal-checking features. Before installing, be comfortable providing eBay developer credentials, store EBAY_CERT_ID securely, and remember that saved watch searches are kept on disk. Do not provide user-level seller OAuth tokens or use seller API examples unless you intentionally want eBay listing or order-management capabilities.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your eBay developer client secret is used by the tool and should be protected like a password, even though the visible code uses app-level read/search access rather than user account actions.
The tool uses the user's eBay developer App ID and Cert ID to obtain an app-level OAuth token, which is expected for the stated API-based research purpose.
app_id = os.getenv("EBAY_APP_ID") ... cert_id = os.getenv("EBAY_CERT_ID") ... "grant_type": "client_credentials", "scope": scopeUse dedicated eBay developer credentials, keep EBAY_CERT_ID out of logs and shared environments, and use sandbox credentials when testing.
Anyone with access to your local account could see saved search interests and target prices in the watch file.
Saved searches and price thresholds persist locally and can affect later watch checks.
Watches are stored in `~/.ebay-agent/watches.json`. Override with `--state-file <path>` on any watch subcommand.
Review or delete the watch file if searches are sensitive, and use --state-file to place the state somewhere appropriate.
Future dependency versions could change behavior, which matters more because the tool handles an API secret.
Dependencies are specified with lower bounds rather than exact pinned versions, so installs may resolve to newer package releases over time.
dependencies = [
"httpx>=0.27",
"rich>=13.0",
"python-dotenv>=1.0",
]Install from a trusted source and consider using a locked or reviewed environment if you are protecting important credentials.
If reused outside the documented CLI workflow, these examples could guide seller-account actions that require separate user-level authorization.
The reference material includes seller-side API examples for creating and publishing listings, which are higher-impact than the main research CLI commands.
## Inventory API (Create Listings) ... Auth: Authorization Code flow (user-level token) required ... POST /offer/{offerId}/publishTreat seller API examples as documentation only; do not provide user OAuth tokens or run listing/order-management calls unless you explicitly intend those actions.