linkfox-amazon-store-report

Pass

Audited by Gen Agent Trust Hub on May 30, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses subprocess.run within scripts/get_report.py to execute a local dependency check script (scripts/check_auth_dependency.py). This is implemented safely using absolute paths derived from the script's own location and the current Python executable.
  • [EXTERNAL_DOWNLOADS]: The skill interacts with vendor-owned API endpoints at tool-gateway.linkfox.com and skill-api.linkfox.com to manage the report lifecycle. It also downloads report documents from Amazon's pre-signed URLs, which is the primary intended function of the skill.
  • [DATA_EXFILTRATION]: No unauthorized data exfiltration patterns were detected. The skill reads Amazon report data and saves it to local temporary directories. It includes a feature to serve the extracted report via a local HTTP server, which is strictly bound to 127.0.0.1 and is short-lived (default 5 minutes), limiting access to the local machine.
  • [PROMPT_INJECTION]: The skill instructions in SKILL.md follow standard task descriptions and do not contain patterns intended to bypass agent safety filters or override system constraints.
  • [CREDENTIALS_UNSAFE]: The skill correctly uses environment variables (LINKFOXAGENT_API_KEY) for authentication rather than hardcoding secrets. Instructions explicitly guide users to use standard secret management practices (e.g., .env files or exporting variables).
Audit Metadata
Risk Level
SAFE
Analyzed
May 30, 2026, 12:05 AM