ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SP-API Skill

v1.0.1

Amazon SP-API skill for OpenClaw agents. Fetch orders, check FBA inventory, manage listings and pricing. Works with any marketplace and seller account.

0· 305·0 current·0 all-time
byZero2Ai@zero2ai-hub·duplicate of @zero2ai-hub/skill-amazon-spapi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included scripts (auth, orders, inventory, listings) and the skill only requires the node binary. However the registry metadata lists no required credentials while the SKILL.md and scripts clearly require Amazon SP-API credentials (LWA client id/secret, refresh token, seller/marketplace IDs) stored in a local JSON file; the omission in metadata is an inconsistency that should be clarified.
Instruction Scope
Runtime instructions are specific: install the amazon-sp-api npm package and create a local credentials file (amazon-sp-api.json). The scripts only call the official SP-API via amazon-sp-api and write optional output files. They do not attempt to read unrelated system paths. Note: SKILL.md tells you to set AMAZON_SPAPI_PATH, and the scripts read that env var — but that env var was not declared in registry metadata.
Install Mechanism
There is no platform install spec (instruction-only), but SKILL.md instructs users to run `npm install amazon-sp-api`. Installing a package from the public npm registry is expected here, but it carries the usual supply-chain risk; no unusual download URLs or archive extracts are present.
!
Credentials
The skill requires highly sensitive credentials (LWA client secret, refresh token, sellerId, marketplace) but the registry metadata declares no required env vars or primary credential. The scripts read a credentials file path from AMAZON_SPAPI_PATH (or default './amazon-sp-api.json'), so the skill accesses an environment variable that was not declared. This mismatch is a security concern: sensitive secrets are needed but not represented in the declared requirements or primary credential field.
Persistence & Privilege
The skill does not request permanent system presence (always: false) and does not modify other skills or global agent config. It reads/writes only the credential file and optional output JSON files; this is expected for the claimed functionality.
What to consider before installing
Before installing or using this skill: (1) Verify the skill source and author — the package has no homepage and the registry owner is unknown. (2) Expect to provide highly sensitive Amazon SP-API credentials (LWA client id/secret, refresh token, sellerId, marketplace). Do not paste these into public places. The skill expects them in a local file (amazon-sp-api.json) and optionally referenced by the AMAZON_SPAPI_PATH env var — note that the registry metadata did not declare these secrets. (3) Inspect the included scripts in this bundle (you already have them) and confirm they only call Amazon SP-API and write local output; run them in an isolated environment (container/VM) first. (4) Verify the npm dependency 'amazon-sp-api' comes from a trusted source and pin/check its integrity (use package-lock, checksum, or audit). (5) If you want stricter control, keep the skill user-invocable only and consider disabling autonomous invocation for agents that hold your production credentials. (6) If anything about provenance or the missing credential declaration worries you, do not install or provide credentials until the publisher clarifies why credentials were omitted from metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk977p7mtr20g0qbde1nw4kr4gn8202r6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

SKILL.md

Amazon SP-API Skill

Fetch orders, check FBA inventory, and manage listings — plug-and-play for any OpenClaw agent.

Setup

1. Install dependency

npm install amazon-sp-api

2. Create credentials file

{
  "lwaClientId": "amzn1.application-oa2-client.YOUR_CLIENT_ID",
  "lwaClientSecret": "YOUR_CLIENT_SECRET",
  "refreshToken": "Atzr|YOUR_REFRESH_TOKEN",
  "region": "eu",
  "marketplace": "YOUR_MARKETPLACE_ID",
  "sellerId": "YOUR_SELLER_ID"
}

Save as amazon-sp-api.json. Set AMAZON_SPAPI_PATH env var to point to it (default: ./amazon-sp-api.json).

Regions: na | eu | fe Marketplace IDs: Full list

Scripts

auth.js — Test Connection

node scripts/auth.js

orders.js — Orders

node scripts/orders.js --list                          # last 7 days
node scripts/orders.js --list --days 30
node scripts/orders.js --list --status Unshipped
node scripts/orders.js --list --out orders.json
node scripts/orders.js --get ORDER-ID

inventory.js — FBA Inventory

node scripts/inventory.js
node scripts/inventory.js --sku "MY-SKU"
node scripts/inventory.js --out inventory.json

listings.js — Listings & Pricing

node scripts/listings.js --get "MY-SKU"
node scripts/listings.js --update "MY-SKU" --price 99.00
node scripts/listings.js --update "MY-SKU" --price 99.00 --currency USD

Notes

  • Tokens auto-refresh via LWA — no manual management
  • Keep credential files at chmod 600
  • Respect SP-API rate limits per endpoint

Related

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…