Amazon Store Report
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s Amazon report-download purpose is coherent, but it needs review because it tells the agent to auto-install an auth dependency and handles OAuth-protected seller reports that may include financial, tax, and order data.
Before installing, confirm you trust both this skill and the required linkfox-amazon-store-auth dependency, do not allow automatic dependency installation without reviewing its source and permissions, use the narrowest Amazon authorization available, and treat downloaded report files and local HTTP links as sensitive.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change the user’s installed skill set and trust a new auth-handling component before the user has reviewed it.
The skill instructs the agent to install another skill automatically when the dependency is missing. Because that dependency manages Amazon authorization and no pinned source/version or explicit user approval step is shown, this is a material supply-chain and environment-mutation concern.
如果当前运行时具备 skill 安装工具...**立即调用**安装 `linkfox-amazon-store-auth`。
Require explicit user approval before installing the dependency, show the dependency’s publisher/source/version and permissions, and pin or verify the trusted source.
The skill can retrieve OAuth-protected Amazon Seller reports, including potentially sensitive order, inventory, tax, and financial information.
The skill uses delegated Amazon Seller access tokens through the auth dependency. This is expected for fetching Amazon reports, but it is sensitive account access.
本 skill 会在内部调用依赖 skill 提供的 `/spApi/storeTokens` 取 `accessToken`,然后走 `/spApi/developerProxy`
Use only with trusted Amazon accounts and least-privilege authorization, and review sellerId, marketplaceIds, reportType, and date ranges before running.
If the proxy were used outside the documented report flow, it could perform broader Amazon SP-API actions under the user’s token.
A developer proxy is a broad API route. The documentation frames it for the Reports API lifecycle, but users should ensure it remains scoped to report requests and downloads.
本 skill 主要调用 `/spApi/developerProxy`(LinkFox 店铺网关代理)...按 `reportType` 拼请求体
Keep calls restricted to the documented Reports API endpoints and require review for any non-report proxy operation.
On a shared or exposed machine, a temporary local download URL could reveal sensitive Amazon report contents.
The skill serves the extracted report over a temporary local HTTP URL by default. It is disclosed as local and time-limited, but the files may contain sensitive seller data.
`extractedFileHttpUrl` ... **本机临时 HTTP** 直链...服务保持时长(默认 300,最少 10)
Keep the service bound to localhost, shorten the serve duration where possible, avoid running on shared/public machines, and delete downloaded reports when no longer needed.