ClawHub

Skill Amazon Review Request

v1.0.0

Sends Amazon review requests for eligible shipped orders using SP-API with retry, deduplication, eligibility checks, and optional dry-run mode.

0· 259·1 current·1 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is to send SP-API review requests, and the script requires SP-API credentials (refresh token, client id/secret, marketplace id) and optionally Supabase credentials. However the registry metadata declares no required environment variables or primary credential. That mismatch is problematic: a user would reasonably expect the manifest to declare the sensitive credentials this skill needs.
!
Instruction Scope
SKILL.md and scripts instruct the agent to read ~/amazon-sp-api.json (or SP_API_* env vars), and optionally ~/supabase-api.json (or SUPABASE_API_PATH). The runtime instructions also write logs under data/ and suggest a cron that runs the script from the workspace. These behaviors are coherent with the stated purpose, but the instructions reference filesystem paths and optional external (Supabase) endpoints that are not declared in the manifest — that gap should be fixed. The script performs network calls to Amazon endpoints and, if configured, to a Supabase REST endpoint.
Install Mechanism
This is an instruction-only skill with a single shipped script and no install specification. That is low risk from a packaging/install perspective because nothing is downloaded or extracted during install. The code will run when executed, so runtime behavior should be reviewed (which was done).
!
Credentials
The script requires highly sensitive credentials (SP_API refresh token, client id/secret, marketplace id) and may use a Supabase URL/key. Those credentials are proportionate to the stated task, but the manifest does not declare them. The absence of declared required env vars / primary credential makes permission review and least-privilege reasoning impossible for an installer.
Persistence & Privilege
The skill does not request always: true or other elevated platform privileges, and it does not modify other skills. It writes local logs/tracking files under data/, which is expected for its function.
What to consider before installing
Do not install or enable this skill until the author fixes the manifest to declare the sensitive credentials it needs. Specifically: (1) confirm the author adds required env vars (SP_API_REFRESH_TOKEN, SP_API_CLIENT_ID, SP_API_CLIENT_SECRET, SP_API_MARKETPLACE_ID) or documents SP_API_PATH in the registry metadata; (2) confirm whether Supabase integration is optional and, if used, what data is sent to the Supabase instance (URL/key are sensitive); (3) inspect the script locally and run --dry-run first in an isolated environment to verify behavior; (4) avoid placing credentials in world-readable files — prefer environment variables or a secure secret store; and (5) if you plan to schedule it via cron, run it under a dedicated, minimal-permission account and monitor network activity. The mismatch between the manifest and runtime requirements is the main red flag — once corrected and documented, the skill appears coherent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk972fqqtzmxjew8239xjxet96s8229tn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments