← 返回 Skills 市场
414
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install skill-listing-optimizer
功能描述
Audit Amazon product listing images for non-square dimensions, auto-pad them to 2000×2000 white background, and push corrected images to live listings via SP...
安全使用建议
This skill appears to implement the advertised pipeline but has a few red flags you should consider before installing and running it:
- Sensitive credentials: you must create an SP-API credentials file (refresh token, LWA client id/secret, sellerId). Treat this file like a secret — only place it on machines you control and do not expose it. The skill reads the file from AMAZON_SPAPI_PATH or ./amazon-sp-api.json; metadata did not declare this, so double-check before running.
- Public HTTP server: push_images.js serves image files on 0.0.0.0 and advertises a public URL for Amazon to crawl. This will expose any files in the directory at that port while the server is running — consider using a trusted public hosting option (S3 with pre-signed URLs or a secure proxy) instead of opening a host/port on a VPS.
- Missing file: SKILL.md documents a fix_title.js command but that file is not included. Expect incomplete/rough edges; review the scripts locally before use.
- Verify dependencies: npm package amazon-sp-api and pip Pillow will be installed locally. Inspect package versions and consider running in an isolated environment (container or VM).
- Best practices: run first on a test account, rotate/revoke SP-API tokens if you suspect exposure, and audit logs and network access. If you are uncomfortable exposing a public port, adapt the code to upload fixed images to S3 and use S3 URLs for SP-API updates instead of a local server.
功能分析
Type: OpenClaw Skill
Name: skill-listing-optimizer
Version: 1.0.1
The skill bundle is classified as suspicious primarily due to the `scripts/push_images.js` file. This script initiates a temporary HTTP server on a public IP address (`0.0.0.0`) to serve image files, which Amazon's SP-API is instructed to crawl. While this functionality is described as necessary for the skill's stated purpose of updating Amazon listings, exposing a local directory via a publicly accessible HTTP server, even temporarily and for specific files, introduces a significant security risk. If the agent were to be prompted to use a sensitive directory for this server, it could lead to unauthorized data exposure. The `SKILL.md` also explicitly highlights the requirement for a publicly accessible IP/port for this operation.
能力评估
Purpose & Capability
The name/description match the included scripts (audit.js, pad_to_square.py, push_images.js). Required binaries (node, python3) and dependencies (Pillow, amazon-sp-api) are appropriate for the stated purpose. Minor mismatch: metadata declares no required credentials/env but the scripts expect an SP-API credentials file (amazon-sp-api.json) containing refresh token/client id/secret and sellerId — this is expected for SP-API use but wasn't declared in the registry metadata.
Instruction Scope
SKILL.md instructs installing packages, creating an SP-API credentials file, and running the three scripts — which is consistent with the code. But SKILL.md references a fix_title.js command that is not present in the file manifest (missing file). push_images.js intentionally spins up an HTTP server bound to 0.0.0.0 and serves files publicly for ~15 minutes; that behavior is within the claimed purpose (Amazon needs to crawl images) but is a data-exposure/vector risk and should be explicit to users. The scripts read the credentials file from a path set via AMAZON_SPAPI_PATH (or default ./amazon-sp-api.json) — the README/metadata did not declare this env var.
Install Mechanism
There is no automated install spec; the skill is instruction-plus-scripts. Dependencies are typical (pip Pillow, npm amazon-sp-api). No downloads from untrusted URLs or archive extraction are present in the package itself.
Credentials
The runtime requires SP-API credentials containing a refresh token, LWA client id/secret and seller/marketplace identifiers — these are sensitive and necessary for the declared purpose. However, the registry metadata lists no primary credential or required env vars, creating an omission that could mislead users about what secrets they must provide. The code also references optional env PRODUCT_TYPE and AMAZON_SPAPI_PATH; these env uses are not declared in metadata.
Persistence & Privilege
The skill does not request persistent/always-on privileges. It can run autonomously (default platform behavior) but does not modify other skills or system configs. Operationally, it opens a temporary public HTTP server (0.0.0.0) that serves image files for ~15 minutes — not persistent, but network-exposed and potentially accessible to anyone who can reach the host/port.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-listing-optimizer - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-listing-optimizer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Audit, pad, and push square product listing images via SP-API
元数据
常见问题
Listing Image Optimizer 是什么?
Audit Amazon product listing images for non-square dimensions, auto-pad them to 2000×2000 white background, and push corrected images to live listings via SP... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 414 次。
如何安装 Listing Image Optimizer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-listing-optimizer」即可一键安装,无需额外配置。
Listing Image Optimizer 是免费的吗?
是的,Listing Image Optimizer 完全免费(开源免费),可自由下载、安装和使用。
Listing Image Optimizer 支持哪些平台?
Listing Image Optimizer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Listing Image Optimizer?
由 Zero2Ai(@zero2ai-hub)开发并维护,当前版本 v1.0.1。
推荐 Skills