sif-amazon-research
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to generate and execute local scripts (referenced in
field-notes.md) to handle large data responses from the Sif MCP server. This dynamic script generation is used to summarize JSON data into a compact format before processing the final answer. - [DATA_EXFILTRATION]: Instructions in
field-notes.mddirect the agent to read sensitive configuration data (server URL and secret keys) from a local.mcp.jsonfile. While this is necessary for tool connectivity, it involves accessing credential-bearing files on the filesystem. The skill includes a guardrail explicitly forbidding the agent from repeating these keys in its output. - [PROMPT_INJECTION]: The skill processes untrusted external data retrieved from the Amazon marketplace (e.g., product titles, keyword trends, and competitor signals).
- Ingestion points: Data enters the context via
sif-mcptools such asops_get_asin_traffic_trendandmarket_get_asin_keyword_signals. - Boundary markers: No explicit XML/triple-backtick delimiters are required for the external data in the instructions.
- Capability inventory: The agent has the capability to write local files and execute generated scripts to process this data.
- Sanitization: The instructions recommend 'defensive extraction logic' and 'inspecting keys first' before processing tool responses, though no specific prompt-level sanitization for injection is mentioned.
Audit Metadata