linkfox-amazon-store-report
Pass
Audited by Gen Agent Trust Hub on May 30, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocess.runwithinscripts/get_report.pyto execute a local dependency check script (scripts/check_auth_dependency.py). This is implemented safely using absolute paths derived from the script's own location and the current Python executable. - [EXTERNAL_DOWNLOADS]: The skill interacts with vendor-owned API endpoints at
tool-gateway.linkfox.comandskill-api.linkfox.comto manage the report lifecycle. It also downloads report documents from Amazon's pre-signed URLs, which is the primary intended function of the skill. - [DATA_EXFILTRATION]: No unauthorized data exfiltration patterns were detected. The skill reads Amazon report data and saves it to local temporary directories. It includes a feature to serve the extracted report via a local HTTP server, which is strictly bound to
127.0.0.1and is short-lived (default 5 minutes), limiting access to the local machine. - [PROMPT_INJECTION]: The skill instructions in
SKILL.mdfollow standard task descriptions and do not contain patterns intended to bypass agent safety filters or override system constraints. - [CREDENTIALS_UNSAFE]: The skill correctly uses environment variables (
LINKFOXAGENT_API_KEY) for authentication rather than hardcoding secrets. Instructions explicitly guide users to use standard secret management practices (e.g.,.envfiles or exporting variables).
Audit Metadata