linkfox-amazon-opportunity-search-by-metrics
Pass
Audited by Gen Agent Trust Hub on Jul 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill directs the agent to download and install a secondary skill (
linkfox-onboarding) from a vendor-controlled domain (https://agent-files.linkfox.com) if the user encounters authentication or quota errors. This is used for vendor-specific troubleshooting and onboarding. - [COMMAND_EXECUTION]: Utilizes a local Python script (
scripts/amazon_opportunity_screener.py) to interface with the Amazon Opportunity Screener API. The script handles data fetching, caching, and local file storage of results. - [DATA_EXFILTRATION]: The execution script transmits session metadata, including
SESSION_ID,MODE_ID, andAPP_NAME, via HTTP headers to the vendor's API gateway (tool-gateway.linkfox.com). This data is used for request tracking and session persistence. - [PROMPT_INJECTION]: The
SKILL.mdfile contains a directive telling the agent "you cannot give up downloading yourself" (你不能自己放弃下载) when attempting to resolve account issues. This is an instruction intended to guide the agent through a specific error-handling flow. - [SAFE]: Credentials are managed securely via environment variables (
LINKFOX_AGENT_API_KEY), and output data is restricted to the current project's work directory (linkfox/subfolder) rather than system-sensitive locations.
Audit Metadata