taobao-shop-catalog

Warn

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions in SKILL.md describe a pattern for executing shell commands using string interpolation: eval "$(python scripts/extract-catalog.py '{shopId}' --page {page})". Because the {shopId} and {page} variables are sourced from user input and placed directly into a shell execution context without sanitization, the skill is vulnerable to command injection. An attacker could provide a malicious shopId containing shell metacharacters (e.g., '; <malicious_command> ;') to execute arbitrary code on the underlying system.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted data from external Taobao and Tmall product pages.
  • Ingestion points: Product titles, item IDs, and image URLs are extracted from external web pages via scripts/extract-catalog.py and ingested into the agent's context.
  • Boundary markers: The skill does not implement delimiters or provide instructions to the agent to disregard potential instructions embedded within the scraped content.
  • Capability inventory: The skill utilizes high-privilege tools including bash, python, and browser-act, which could be exploited if an injection occurs.
  • Sanitization: There is no evidence of sanitization, filtering, or validation of the content retrieved from the external sources before it is returned to the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 13, 2026, 04:39 AM
Security Audit — agent-trust-hub — taobao-shop-catalog