← 返回 Skills 市场
522
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install skill-amazon-listing-optimizer
功能描述
Audit Amazon product listing images for non-square dimensions, auto-pad them to 2000×2000 white background, and push corrected images to live listings via SP...
安全使用建议
This package appears to do what it claims, but stop and address the following before running on a production machine or with real seller credentials:
- The image pusher starts a public HTTP server and directly maps request paths to files without sanitizing ../ sequences. If you run this server on a publicly reachable IP, an attacker (or crawler) could download arbitrary files readable by the process. Run the server only in a hardened environment, serve from an isolated directory, or replace the simple server with a secure static-file server that prevents path traversal.
- Verify the SP‑API credential file (AMAZON_SPAPI_PATH) exists and that the credentials have only the minimal scopes needed (listings write). Keep those credentials private and rotate them if needed.
- The README/SKILL.md mention a fix_title.js script that is not included — treat the docs as slightly unreliable and inspect the included scripts carefully before use.
- The code makes an external call to api.ipify.org to detect the public IP; if you prefer not to call third‑party services, supply the public IP/hostname manually or use a secure proxy/S3 approach.
- If you plan to run this on a server, host the images on a controlled CDN/S3 with restricted access where possible and confirm Amazon's required URL handling rather than exposing your entire host.
If these issues are fixed (sanitize server paths or use a safe file server; remove missing/inaccurate docs), the skill would be coherent and appropriate for its purpose.
功能分析
Type: OpenClaw Skill
Name: skill-amazon-listing-optimizer
Version: 1.0.0
The skill's stated purpose is benign, but the `scripts/push_images.js` file contains a critical path traversal vulnerability. Its temporary HTTP server, exposed on a public IP, uses `path.join(dir, req.url.replace(/^//, ''))` to serve files. This allows an attacker to use `../` sequences in the URL to read arbitrary files from the host system (e.g., `http://<ip>:<port>/../etc/passwd`), which is a significant data exfiltration risk. This is a severe vulnerability, classifying the skill as suspicious rather than benign, but without clear evidence of intentional malicious exploitation by the skill author.
能力评估
Purpose & Capability
Name/description match the code: scripts audit listings, pad images, and upload via SP‑API. Required binaries (node, python3) are reasonable for the included scripts and image tooling. Asking for SP‑API credentials (in a credentials file) is proportionate to the stated purpose.
Instruction Scope
The runtime instructions and scripts instruct the agent to start a public HTTP server and have Amazon crawl URLs — this is expected for the upload method used, but the server implementation does not sanitize request paths (path traversal risk) and will serve arbitrary filesystem files if exposed. The SKILL.md also references a fix_title.js script that is not present in the package, showing sloppy/incomplete documentation. The instructions additionally rely on an optional AMAZON_SPAPI_PATH env var (documented) even though the skill metadata lists no required env vars — a minor inconsistency.
Install Mechanism
There is no install spec (instruction-only install), and the dependencies are standard (Pillow via pip, amazon-sp-api via npm). No downloads from arbitrary URLs or archive extraction are present in the package. All code is included in the repo.
Credentials
The skill requires SP‑API credentials (lwa client id/secret, refresh token, sellerId, marketplace) stored in a local JSON file — this is expected for making listings changes. The package does not request unrelated credentials. One minor mismatch: SKILL.md mentions AMAZON_SPAPI_PATH env var (optional) but the registry metadata lists no required env vars; the credential file approach may be fine but users should ensure credentials provided have minimal necessary scopes (listingsItems write).
Persistence & Privilege
The skill is not set to always:true and does not request persistent system-wide privileges. It runs transient local servers and SP‑API calls as invoked, which matches the described purpose. Autonomous invocation is allowed (platform default) but not an additional red flag by itself.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-amazon-listing-optimizer - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-amazon-listing-optimizer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Version 1.0.0 — Initial Release
- Automatically audits Amazon product listing images for non-square dimensions.
- Auto-pads images to 2000×2000 pixels with a white background to meet Amazon requirements.
- Uploads corrected images directly to live listings via SP-API (no manual Seller Central steps needed).
- Works with any marketplace and seller account.
- Includes scripts for audit, local image fixing, image upload, and optional title patching.
v1.0.1
Renamed to include amazon keyword for discoverability
元数据
常见问题
Skill Amazon Listing Optimizer 是什么?
Audit Amazon product listing images for non-square dimensions, auto-pad them to 2000×2000 white background, and push corrected images to live listings via SP... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 522 次。
如何安装 Skill Amazon Listing Optimizer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-amazon-listing-optimizer」即可一键安装,无需额外配置。
Skill Amazon Listing Optimizer 是免费的吗?
是的,Skill Amazon Listing Optimizer 完全免费(开源免费),可自由下载、安装和使用。
Skill Amazon Listing Optimizer 支持哪些平台?
Skill Amazon Listing Optimizer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill Amazon Listing Optimizer?
由 Zero2Ai(@zero2ai-hub)开发并维护,当前版本 v1.0.0。
推荐 Skills