Skill Amazon Listing Optimizer

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it can use Amazon seller write credentials to bulk change live listings and opens a public file server with weak safeguards.

Only use this after reviewing and hardening the push flow. Keep Amazon credentials outside the project and served directories, do not run bulk pushes without manually checking the report and fixed images, and replace the public local file server with safer hosting or strict path controls.

Static analysis

Env credential access

Critical

Finding: Environment variable access combined with network send.

Env credential access

Critical

Finding: Environment variable access combined with network send.

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI07: Insecure Inter-Agent Communication

High

What this means

Anyone who can reach the temporary port may be able to download product images or other local files, potentially including Amazon seller credentials.

Why it was flagged

The push step exposes an unauthenticated public HTTP server and joins the raw request path to the served directory without enforcing that the resolved path stays inside that directory. With the documented default credential file at ./amazon-sp-api.json and examples serving ./image_fix/, path traversal could expose adjacent local files, including seller API credentials.

Skill content

const filePath = path.join(dir, req.url.replace(/^\//, '')); ... fs.createReadStream(filePath).pipe(res); ... server.listen(port, '0.0.0.0');

Recommendation

Do not expose this server as written. Use S3 or another constrained hosting mechanism, or add path normalization, directory containment checks, file allowlists, firewalling/authentication, and keep credentials outside any traversable parent directory.

#ASI02: Tool Misuse and Exploitation

High

What this means

Incorrect reports, stale fixed files, or unintended agent invocation could change many live Amazon product images and affect sales or compliance.

Why it was flagged

The script directly replaces Amazon listing image attributes through SP-API. Combined with the documented --all / --from-report pipeline, this can bulk-update live public listings without an artifact-backed confirmation step or rollback workflow.

Skill content

operation: 'patchListingsItem', endpoint: 'listingsItems', ... op: 'replace', path: `/attributes/${attr}`

Recommendation

Require explicit user confirmation before every push, review the report and file mappings, add a dry-run mode, back up current listing attributes, and prefer scoped single-SKU operation by default.

#ASI03: Identity and Privilege Abuse

High

What this means

Installing or running the skill requires trusting it with seller-account credentials capable of modifying listing data.

Why it was flagged

The script reads long-lived Amazon SP-API credentials from a local file, while the registry metadata declares no primary credential, required environment variable, or required config path. This is high-impact seller-account authority and should be explicitly declared and bounded.

Skill content

const CREDS_PATH = process.env.AMAZON_SPAPI_PATH || './amazon-sp-api.json'; ... refresh_token: creds.refreshToken ... SELLING_PARTNER_APP_CLIENT_SECRET: creds.lwaClientSecret

Recommendation

Declare the credential requirement in metadata, use least-privilege SP-API scopes, store credentials outside the served project tree, rotate tokens if exposed, and avoid running the push step unless the exact account and marketplace are verified.

#ASI04: Agentic Supply Chain Vulnerabilities

Medium

What this means

A user or agent may look for or add unreviewed code to patch live listing titles, extending the skill beyond the reviewed artifacts.

Why it was flagged

The documented title-patching script is not present in the supplied file manifest, and changing listing titles is outside the image optimizer purpose. That creates a provenance gap for an unreviewed, high-impact account-mutation path.

Skill content

### `fix_title.js` — Patch listing title ... node scripts/fix_title.js --sku "MY-SKU" --title "New optimized title here"

Recommendation

Remove this reference or include the reviewed script with explicit metadata, permissions, confirmations, and a clear explanation of why title mutation belongs in this skill.