Skill Amazon Spapi
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Amazon SP-API integration, but it can use seller credentials to fetch business data and change live listing prices without built-in approval or safety limits.
Use this skill only if you trust the source and need an agent to access your Amazon seller account. Pin the npm dependency, store the credential file securely, grant the narrowest SP-API permissions possible, and require manual approval for every listing price update.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent invocation or mistaken command could change a live product price on Amazon, potentially affecting sales, revenue, and customer-facing listings.
The script directly patches a live Amazon listing price from command-line arguments, with no confirmation prompt, price bounds, dry-run mode, allowlist, or rollback mechanism.
operation: 'patchListingsItem', endpoint: 'listingsItems', ... path: '/attributes/purchasable_offer', ... value_with_tax: parseFloat(price)
Require explicit user confirmation before any update, add dry-run output, enforce minimum/maximum price limits, validate marketplace/currency, and log changes with a rollback procedure.
Installing and using the skill gives the agent access to sensitive seller-account operations such as orders, inventory, listings, and pricing.
The skill requires long-lived Amazon SP-API credentials tied to a seller account, but the artifacts do not state required SP-API role scopes or restrict the credential to read-only use despite including price-update functionality.
"lwaClientSecret": "YOUR_CLIENT_SECRET", "refreshToken": "Atzr|YOUR_REFRESH_TOKEN", "marketplace": "YOUR_MARKETPLACE_ID", "sellerId": "YOUR_SELLER_ID"
Use the least-privileged SP-API app roles possible, keep the credential file outside shared workspaces with restrictive permissions, and disclose the credential requirement in metadata.
The installed dependency version may vary over time, which can affect behavior and supply-chain risk.
The skill depends on a remote npm package without a pinned version or lockfile in the provided artifacts. This is expected for an SP-API integration, but it leaves dependency version/provenance to the install environment.
npm install amazon-sp-api
Pin the amazon-sp-api package version, use a lockfile, and install from a trusted package registry.