Skill Amazon Review Request
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Amazon review-request purpose, but it uses seller API credentials and optional Supabase logging that are not clearly declared in the registry or main user-facing instructions.
Review the code and configuration before installing, run dry-run mode first, use least-privilege Amazon SP-API credentials, and only enable Supabase logging or cron scheduling if you explicitly want those data flows and recurring actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and running the skill gives it authority to act through your Amazon seller integration and send customer-facing review requests.
This requires delegated Amazon seller credentials with Messaging authority, while the registry metadata declares no primary credential or required environment variables.
SP-API credentials in `~/amazon-sp-api.json`: `refreshToken`, `clientId`, `clientSecret`, `marketplaceId` ... SP-API app must have **Messaging** permission granted
Declare the SP-API credential requirement in metadata and use a least-privilege SP-API app with only the permissions needed for review requests.
Order IDs, ASINs, statuses, timestamps, and errors may be stored in an external Supabase project if that credential file exists.
The script can read a Supabase key from the home directory and send order tracking data to a Supabase REST API, while the main SKILL.md behavior table emphasizes local log files.
const SUPABASE_CREDS_FILE = process.env.SUPABASE_API_PATH || require('os').homedir() + '/supabase-api.json'; ... await supabaseInsert('review_requests', { order_id: orderId, asin: asin || null, status, attempted_at: new Date().toISOString(), error: error || null })Prominently document Supabase as an optional external data destination, require explicit opt-in, and state exactly what order data is transmitted and retained.
A live run can send review requests for all orders the script considers eligible.
The live path posts Amazon review-request messages. This is the stated purpose and is scoped by eligibility, deduplication, and rate limiting, but it is still a customer-facing account action.
path: `/messaging/v1/orders/${orderId}/messages/requestReview?marketplaceIds=${SP_API_MARKETPLACE_ID}`, method: 'POST'Run `--dry-run` first, review the target marketplace and eligibility results, and consider adding a confirmation or maximum-send limit for live runs.
If scheduled, the skill can continue sending review requests every day without further prompts.
The README recommends recurring execution. It is user-directed and disclosed, but it creates ongoing automated activity until the cron entry is removed.
Run daily via cron: `0 5 * * * cd $HOME/.openclaw/workspace && node skills/skill-amazon-review-request/scripts/request-reviews.js >> data/review-requests-cron.log 2>&1`
Only add the cron job after validating dry-run output, and document how to disable or remove the scheduled task.
Local logs may retain order IDs and review-request history beyond the immediate run.
The skill keeps persistent per-order history. This supports deduplication, but the log contains business order identifiers and outcomes.
`Tracking log` | `data/review-requests-log.json` — per-order status, sentAt, attempts
Store logs in a protected location, set retention expectations, and avoid sharing the log files unless needed.