sif-amazon-research

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to generate and execute local scripts (referenced in field-notes.md) to handle large data responses from the Sif MCP server. This dynamic script generation is used to summarize JSON data into a compact format before processing the final answer.
  • [DATA_EXFILTRATION]: Instructions in field-notes.md direct the agent to read sensitive configuration data (server URL and secret keys) from a local .mcp.json file. While this is necessary for tool connectivity, it involves accessing credential-bearing files on the filesystem. The skill includes a guardrail explicitly forbidding the agent from repeating these keys in its output.
  • [PROMPT_INJECTION]: The skill processes untrusted external data retrieved from the Amazon marketplace (e.g., product titles, keyword trends, and competitor signals).
  • Ingestion points: Data enters the context via sif-mcp tools such as ops_get_asin_traffic_trend and market_get_asin_keyword_signals.
  • Boundary markers: No explicit XML/triple-backtick delimiters are required for the external data in the instructions.
  • Capability inventory: The agent has the capability to write local files and execute generated scripts to process this data.
  • Sanitization: The instructions recommend 'defensive extraction logic' and 'inspecting keys first' before processing tool responses, though no specific prompt-level sanitization for injection is mentioned.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 04:13 AM
Security Audit — agent-trust-hub — sif-amazon-research