Back to skill

Security audit

Amazon Listing Image Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with Amazon image optimization, but it can update live listings and exposes a public local file server with weak containment.

Review or fix the push script before installing. Use least-privilege or test SP-API credentials, keep the credential file outside any served directory, avoid running the public server on an internet-reachable host unless path containment and file allowlisting are added, and do not run bulk live pushes without reviewing targets and having a rollback plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions even though its documented behavior requires environment access, local file reads, and network communication. This is dangerous because operators and policy engines cannot accurately assess or constrain what the skill will do, especially when it handles SP-API credentials and exposes data over the network.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose understates materially risky behavior: it starts a public HTTP server, fetches the host's public IP, reads local credential files, and updates listing image URLs to externally hosted content rather than directly uploading binaries. This mismatch can mislead users into running a skill that exposes local files and modifies live listings in a way they did not expect, increasing the chance of data exposure and unintended production changes.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill includes a title-editing capability that is outside the stated scope of image optimization. Hidden or under-disclosed write capabilities against listing content are dangerous because they expand the blast radius from image hygiene to merchandising content changes on live Amazon listings.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
A listing title patch function is unjustified in an image optimizer and represents scope creep into unrelated high-impact seller operations. In this context, that makes the skill more dangerous because users may grant trust for image fixes while the skill can also alter customer-facing text and potentially harm compliance, branding, or conversion.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata promises automatic image padding to 2000×2000 and live listing updates, but this script only audits dimensions and writes a report. That mismatch is security-relevant because operators may grant SP-API access and rely on the skill to enforce listing compliance when it does not perform the advertised remediation, creating a false sense of protection and possible business-impacting noncompliance.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The module documentation suggests broad listing-image auditing, but the code only checks whether images are square and at least 1000px, not whether they meet the claimed 2000×2000 target. In the context of an Amazon listing-image optimization skill, this can mislead users into believing stricter compliance checks are being enforced, allowing noncompliant images to pass unnoticed.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script starts an unauthenticated HTTP server bound to 0.0.0.0 and then constructs a publicly reachable URL for Amazon to crawl. That unnecessarily exposes local files from the chosen directory to any host that can reach the machine during the 15-minute window, which is broader access than required for image processing and can leak unpublished or sensitive product media.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The comments describe a 'local HTTP server' but the implementation listens on 0.0.0.0 and advertises a public IP-based URL. This mismatch can mislead operators into believing exposure is limited to localhost, increasing the chance they run it on an internet-reachable host without understanding that listing images are being publicly served.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes auditing and optimizing listing images but does not clearly warn that the skill will modify live marketplace assets and push changes via SP-API. This can cause operators to run the skill without understanding that it performs write actions against production listings, increasing the risk of unintended image replacement, compliance issues, or storefront disruption.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill emphasizes automation but does not prominently warn that it modifies live Amazon listings. Lack of an explicit production-change warning can cause accidental execution against real seller accounts, leading to unintended listing updates at scale.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation notes a publicly accessible server is needed but does not clearly frame this as a security and privacy risk. Serving images from a temporary public HTTP endpoint can expose product assets, file paths, and potentially misconfigured local content to the internet during the crawl window.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script not only serves images over a publicly reachable HTTP endpoint but also automatically patches live Amazon listings to point at those URLs, with little emphasis on the exposure risk. In the context of a listing-image optimizer, this is more dangerous because users may expect offline image correction, not temporary internet exposure of assets and immediate modification of production listings.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/audit.js:16

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/push_images.js:17

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/audit.js:25

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/push_images.js:26