Amazon Listing Image Optimizer

This package appears to implement the advertised workflow, but there are three things to check before installing or giving it credentials: 1) Credentials: The tool requires Amazon SP‑API credentials (LWA client id/secret and a refresh token) via a JSON file pointed to by AMAZON_SPAPI_PATH, but the package metadata does not declare these requirements — treat that as a red flag and only provide such credentials to code you fully trust. Those credentials can modify listings, so limit their scope and revoke them if you stop using the tool. 2) Public HTTP server: push_images.js binds an HTTP server to 0.0.0.0 and exposes files from the specified directory for ~15 minutes so Amazon can crawl them. Run this in a locked-down environment (dedicated VM/VPS), ensure the served directory contains only the intended image files, restrict network access (firewall, allowlist), or prefer uploading images to S3 and providing pre-signed URLs instead. 3) Packaging inconsistencies: SKILL.md references fix_title.js but that file is missing from the bundle; metadata doesn't list required env vars. Review the included scripts manually (they are short) to ensure there is no hidden exfiltration or unrelated file access. If the maintainer can update metadata to declare required credentials and fix the missing file, and you validate the code, the skill would be more trustworthy. If you are not comfortable providing SP‑API credentials or exposing a public port, do not install or run this skill. If you proceed, do so in an isolated environment and rotate/revoke credentials afterward.