SP-API Skill

The skill is classified as suspicious due to a potential arbitrary file write vulnerability. The scripts `scripts/inventory.js`, `scripts/listings.js`, and `scripts/orders.js` directly use the `--out` command-line argument as a file path for `fs.writeFileSync` without any sanitization or validation. This could allow an attacker, via prompt injection against the OpenClaw agent, to instruct the agent to write arbitrary data to arbitrary file paths on the system, potentially leading to remote code execution or data corruption.