linkfox-amazon-reviews-list
Fail
Audited by Snyk on Jul 15, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). Contains a direct download link to a release ZIP (agent-files.linkfox.com/skills/linkfox-onboarding/release.zip) that the skill instructs to download and install — distributing executable content via a custom file-hosting subdomain is a common malware vector and should be treated as suspicious unless verified.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). Outsider-authored free text (Amazon customer review
title/textfields) is fetched at runtime via the/amazon/reviews/listAPI and then serialized/printed to stdout (full JSON when ≤8KB or with--inline), which can be ingested into the agent’s LLM context.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's runtime instructions tell the agent to download and install remote onboarding code from https://agent-files.linkfox.com/skills/linkfox-onboarding/release.zip, which fetches external executable skill content that can control agent behavior.
Issues (3)
E005
CRITICALSuspicious download URL detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata