The Agent Skills Directory

[DATA_EXFILTRATION]: Path Traversal Vulnerability. The local HTTP server implementation in scripts/push_images.js uses path.join(dir, req.url.replace(/^\//, '')) to serve files. Because the request URL is not sanitized, an attacker can use ../ sequences to read sensitive files from the host's filesystem outside of the intended directory.
[DATA_EXFILTRATION]: Unauthenticated Public Data Exposure. The script scripts/push_images.js starts a web server on port 8899 bound to all network interfaces (0.0.0.0). The server lacks any authentication, exposing the files in the target directory (and potentially the entire system via the traversal flaw) to anyone on the same network or the public internet during its 15-minute runtime.
[EXTERNAL_DOWNLOADS]: External IP Discovery Dependency. The skill makes a request to https://api.ipify.org to determine the public IP address of the server. While functionally necessary to allow Amazon's crawlers to find the temporary server, it introduces a dependency on a third-party service and discloses the server's IP address to that service.
[COMMAND_EXECUTION]: Script-Based Workflow. The skill relies on the execution of Node.js and Python scripts to perform auditing and image processing. These scripts require filesystem and network permissions to interact with the local environment and Amazon's Selling Partner API.

skill-listing-image-optimizer