Amazon Listing Image Optimizer
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Amazon image-listing automation skill, but it can make bulk live listing changes and its temporary public image server may expose local files or credentials.
Review carefully before installing. If you use it, run only on a small test SKU first, keep SP-API credentials outside the working and served directories, do not expose the included HTTP server without fixing its path traversal issue, and require manual review before pushing any live Amazon listing changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
During the 15-minute crawl window, someone who can reach the port could potentially retrieve local files, including sensitive credentials if they are in a reachable parent path.
The public HTTP server serves a file path derived directly from the request URL without resolving and enforcing that it stays inside the image directory. With the documented ./image_fix/ directory and default ./amazon-sp-api.json credential file, ../ path traversal could expose files outside the intended image folder while the server is publicly reachable.
const filePath = path.join(dir, req.url.replace(/^\//, '')); ... fs.createReadStream(filePath).pipe(res); ... server.listen(port, '0.0.0.0');
Do not expose this server as written. Serve only from an isolated temporary directory, normalize/resolve paths and reject directory escapes, whitelist expected *_fixed.jpg files, use firewall rules or signed S3 URLs, and keep credentials outside any served path.
A mistaken or overbroad invocation can change public product images on the seller account, affecting listings, brand presentation, and revenue.
The skill requires delegated Amazon seller credentials and uses them for live listing updates. This is purpose-aligned, but it is high-impact account authority and the supplied registry metadata declares no primary credential or capability tag.
"lwaClientSecret": "YOUR_CLIENT_SECRET", "refreshToken": "Atzr|YOUR_REFRESH_TOKEN" ... "push corrected images to live listings via SP-API"
Use least-privilege SP-API credentials, declare the credential requirement in metadata, store the credential file outside served directories, and require explicit user approval before any live patch operation.
A bad report, wrong image file, or flawed padding step could propagate incorrect images across many live Amazon listings.
The advertised full pipeline audits all FBA SKUs and then pushes every reported fix to live listings, with no documented confirmation, staged review, rollback, or batch limit.
node scripts/audit.js --all --out report.json python3 scripts/pad_to_square.py ./image_fix/ node scripts/push_images.js --dir ./image_fix/ --from-report report.json
Add a dry-run and review step, require per-SKU or per-batch confirmation, back up current image attributes, and provide a rollback workflow before pushing changes.
Users may install newer dependency versions than reviewed here, and the documentation may not match the supplied package.
The setup installs unpinned public packages, and the documentation references a title-patching helper that is not included in the supplied files. This is not malicious by itself, but users should verify the exact dependencies and package contents.
pip3 install Pillow npm install amazon-sp-api ... ### `fix_title.js` — Patch listing title
Pin dependency versions, include a lockfile or install spec, remove or supply the referenced fix_title.js file, and publish source/provenance information.