← Back to Skills Marketplace

SP-API Skill

Name: SP-API Skill
Author: zero2ai-hub

by Zero2Ai · GitHub ↗ · v1.0.1

cross-platform ⚠ suspicious

423

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install skill-spapi

Description

Amazon SP-API skill for OpenClaw agents. Fetch orders, check FBA inventory, manage listings and pricing. Works with any marketplace and seller account.

Usage Guidance

Before installing or using this skill: (1) Verify the skill source and author — the package has no homepage and the registry owner is unknown. (2) Expect to provide highly sensitive Amazon SP-API credentials (LWA client id/secret, refresh token, sellerId, marketplace). Do not paste these into public places. The skill expects them in a local file (amazon-sp-api.json) and optionally referenced by the AMAZON_SPAPI_PATH env var — note that the registry metadata did not declare these secrets. (3) Inspect the included scripts in this bundle (you already have them) and confirm they only call Amazon SP-API and write local output; run them in an isolated environment (container/VM) first. (4) Verify the npm dependency 'amazon-sp-api' comes from a trusted source and pin/check its integrity (use package-lock, checksum, or audit). (5) If you want stricter control, keep the skill user-invocable only and consider disabling autonomous invocation for agents that hold your production credentials. (6) If anything about provenance or the missing credential declaration worries you, do not install or provide credentials until the publisher clarifies why credentials were omitted from metadata.

Capability Analysis

Type: OpenClaw Skill Name: skill-spapi Version: 1.0.1 The skill is classified as suspicious due to a potential arbitrary file write vulnerability. The scripts `scripts/inventory.js`, `scripts/listings.js`, and `scripts/orders.js` directly use the `--out` command-line argument as a file path for `fs.writeFileSync` without any sanitization or validation. This could allow an attacker, via prompt injection against the OpenClaw agent, to instruct the agent to write arbitrary data to arbitrary file paths on the system, potentially leading to remote code execution or data corruption.

Capability Assessment

ℹ Purpose & Capability

The name/description match the included scripts (auth, orders, inventory, listings) and the skill only requires the node binary. However the registry metadata lists no required credentials while the SKILL.md and scripts clearly require Amazon SP-API credentials (LWA client id/secret, refresh token, seller/marketplace IDs) stored in a local JSON file; the omission in metadata is an inconsistency that should be clarified.

ℹ Instruction Scope

Runtime instructions are specific: install the amazon-sp-api npm package and create a local credentials file (amazon-sp-api.json). The scripts only call the official SP-API via amazon-sp-api and write optional output files. They do not attempt to read unrelated system paths. Note: SKILL.md tells you to set AMAZON_SPAPI_PATH, and the scripts read that env var — but that env var was not declared in registry metadata.

ℹ Install Mechanism

There is no platform install spec (instruction-only), but SKILL.md instructs users to run `npm install amazon-sp-api`. Installing a package from the public npm registry is expected here, but it carries the usual supply-chain risk; no unusual download URLs or archive extracts are present.

⚠ Credentials

The skill requires highly sensitive credentials (LWA client secret, refresh token, sellerId, marketplace) but the registry metadata declares no required env vars or primary credential. The scripts read a credentials file path from AMAZON_SPAPI_PATH (or default './amazon-sp-api.json'), so the skill accesses an environment variable that was not declared. This mismatch is a security concern: sensitive secrets are needed but not represented in the declared requirements or primary credential field.

✓ Persistence & Privilege

The skill does not request permanent system presence (always: false) and does not modify other skills or global agent config. It reads/writes only the credential file and optional output JSON files; this is expected for the claimed functionality.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install skill-spapi
After installation, invoke the skill by name or use /skill-spapi
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

Renamed from skill-amazon-spapi — orders, FBA inventory, listings & pricing

Metadata

Slug skill-spapi

Version 1.0.1

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is SP-API Skill?

Amazon SP-API skill for OpenClaw agents. Fetch orders, check FBA inventory, manage listings and pricing. Works with any marketplace and seller account. It is an AI Agent Skill for Claude Code / OpenClaw, with 423 downloads so far.

How do I install SP-API Skill?

Run "/install skill-spapi" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is SP-API Skill free?

Yes, SP-API Skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does SP-API Skill support?

SP-API Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created SP-API Skill?

It is built and maintained by Zero2Ai (@zero2ai-hub); the current version is v1.0.1.

More Skills